--- # --- # Install/Uodate git firewall repository # --- - name: Install/update firewall repository git: repo: '{{ git_firewall_repository.repo }}' dest: '{{ git_firewall_repository.dest }}' when: git_firewall_repository is defined and git_firewall_repository|length > 0 # --- # Some Checks # --- - name: Check if file '/etc/ipt-firewall/main_ipv6.conf' exists stat: path: /etc/ipt-firewall/main_ipv6.conf register: main_ipv4_exists - name: Check if file '/etc/ipt-firewall/main_ipv4.conf' exists stat: path: /etc/ipt-firewall/main_ipv4.conf register: main_ipv6_exists - name: Check if file '/etc/munin/munin-node.conf' exists stat: path: /etc/munin/munin-node.conf register: munin_node_exists # --- # Adjust/Correct some values.. # --- - name: addjust line 'munin_remote_ip' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^munin_remote_ip=' line: 'munin_remote_ip="{{ munin_remote_ipv4 }}"' when: - main_ipv4_exists.stat.exists notify: - Restart IPv4 Firewall - name: addjust line 'munin_remote_ip' (IPv6) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^munin_remote_ip=' line: 'munin_remote_ip="{{ munin_remote_ipv6 }}"' when: - main_ipv6_exists.stat.exists notify: - Restart IPv6 Firewall - name: addjust line 'allow ^138..' file '/etc/munin/munin-node.conf' lineinfile: path: /etc/munin/munin-node.conf regexp: '^allow \^138' line: 'allow ^95\.217\.64\.122$' when: - munin_node_exists.stat.exists notify: - Restart Munin Node - name: addjust line 'allow ^.2a01.' file '/etc/munin/munin-node.conf' lineinfile: path: /etc/munin/munin-node.conf regexp: '^allow \^2a01' line: 'allow ^2a01:4f9:4a:2b57::122$' when: - munin_node_exists.stat.exists notify: - Restart Munin Node - name: addjust line 'dovecot_auth_port' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^dovecot_auth_port=' line: 'dovecot_auth_port="$dovecot_external_auth_port"' - name: addjust line 'dovecot_auth_port' (IPv6) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^dovecot_auth_port=' line: 'dovecot_auth_port="$dovecot_external_auth_port"' when: - main_ipv6_exists.stat.exists - name: addjust line 'jitsi_tcp_ports' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^jitsi_tcp_ports=' line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' - name: addjust line 'jitsi_tcp_ports' (IPv6) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^jitsi_tcp_ports=' line: 'jitsi_tcp_ports="$standard_jitsi_tcp_ports"' when: - main_ipv6_exists.stat.exists - name: addjust line 'jitsi_udp_ports' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^jitsi_udp_port_range=' line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' - name: addjust line 'jitsi_udp_ports' (IPv6) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^jitsi_udp_port_range=' line: 'jitsi_udp_port_range="$standard_jitsi_udp_port_range"' when: - main_ipv6_exists.stat.exists - name: addjust line 'jitsi_dovecot_port' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^jitsi_dovecot_port=' line: 'jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"' - name: addjust line 'jitsi_dovecot_port' (IPv6) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^jitsi_dovecot_port=' line: 'jitsi_dovecot_port="$default_jitsi_dovecout_auth_port"' when: - main_ipv6_exists.stat.exists - name: addjust line 'nc_turn_ports' (IPv4) lineinfile: path: /etc/ipt-firewall/main_ipv4.conf regexp: '^nc_turn_ports=' line: 'nc_turn_ports="$standard_turn_service_ports"' - name: addjust line 'nc_turn_ports' (IPv6) lineinfile: path: /etc/ipt-firewall/main_ipv6.conf regexp: '^nc_turn_ports=' line: 'nc_turn_ports="$standard_turn_service_ports"' when: - main_ipv6_exists.stat.exists - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc_turn_udp_ports) lineinfile: dest: /etc/ipt-firewall/main_ipv4.conf state: present regexp: '^nc_turn_udp_ports' line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' insertafter: '^#?\s*nc_turn_ports' when: - main_ipv4_exists.stat.exists - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (nc_turn_udp_ports) lineinfile: dest: /etc/ipt-firewall/main_ipv6.conf state: present regexp: '^nc_turn_udp_ports' line: 'nc_turn_udp_ports="$standard_turn_service_udp_ports"' insertafter: '^#?\s*nc_turn_ports' when: - main_ipv4_exists.stat.exists # --- # vpn_ports # --- - name: Check if String 'vpn_ports=..' is present shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv4.conf register: vpn_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "vpn_ports_ipv4_present.rc > 1" changed_when: "vpn_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (vpn_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_vpn_server_ips' block: | # - VPN Port(s) used by local Services # - # - blank separated list # - vpn_ports="$standard_vpn_port" marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" when: - main_ipv4_exists.stat.exists - vpn_ports_ipv4_present is changed - name: Check if String 'vpn_ports=..' is present shell: grep -q -E "^vpn_ports=" /etc/ipt-firewall/main_ipv6.conf register: vpn_ports_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "vpn_ports_ipv6_present.rc > 1" changed_when: "vpn_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (vpn_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_vpn_server_ips' block: | # - VPN Port(s) used by local Services # - # - blank separated list # - vpn_ports="$standard_vpn_port" marker: "# Marker set by modify-ipt-server.yml (vpn_ports)" when: - main_ipv6_exists.stat.exists - vpn_ports_ipv6_present is changed # --- # ssh_ports # --- - name: Check if String 'ssh_ports=..' is present shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv4.conf register: ssh_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "ssh_ports_ipv4_present.rc > 1" changed_when: "ssh_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ssh_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_ssh_server_ips' block: | # - SSH Port(s) used by local Services # - # - blank separated list # - ssh_ports="$standard_ssh_port" marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" when: - main_ipv4_exists.stat.exists - ssh_ports_ipv4_present is changed - name: Check if String 'ssh_ports=..' is present shell: grep -q -E "^ssh_ports=" /etc/ipt-firewall/main_ipv6.conf register: ssh_ports_ipv6_present when: main_ipv6_exists.stat.exists failed_when: "ssh_ports_ipv6_present.rc > 1" changed_when: "ssh_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ssh_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_ssh_server_ips' block: | # - SSH Port(s) used by local Services # - # - blank separated list # - ssh_ports="$standard_ssh_port" marker: "# Marker set by modify-ipt-server.yml (ssh_ports)" when: - main_ipv6_exists.stat.exists - ssh_ports_ipv6_present is changed # --- # http_ports # --- - name: Check if String 'http_ports=..' is present shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv4.conf register: http_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "http_ports_ipv4_present.rc > 1" changed_when: "http_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (http_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_http_server_ips' block: | # - HTTP(S) Ports used by local Services # - # - comma separated list # - http_ports="$standard_http_ports" marker: "# Marker set by modify-ipt-server.yml (http_ports)" when: - main_ipv4_exists.stat.exists - http_ports_ipv4_present is changed - name: Check if String 'http_ports=..' is present shell: grep -q -E "^http_ports=" /etc/ipt-firewall/main_ipv6.conf register: http_ports_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "http_ports_ipv6_present.rc > 1" changed_when: "http_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (http_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_http_server_ips' block: | # - HTTP(S) Ports used by local Services # - # - comma separated list # - http_ports="$standard_http_ports" marker: "# Marker set by modify-ipt-server.yml (http_ports)" when: - main_ipv6_exists.stat.exists - http_ports_ipv6_present is changed # --- # mail_user_ports # --- - name: Check if String 'mail_user_ports=..' is present shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv4.conf register: mail_user_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "mail_user_ports_ipv4_present.rc > 1" changed_when: "mail_user_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mail_user_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_mail_server_ips' block: | # - Client Ports used by local Mail Services # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" when: - main_ipv4_exists.stat.exists - mail_user_ports_ipv4_present is changed - name: Check if String 'mail_user_ports=..' is present shell: grep -q -E "^mail_user_ports=" /etc/ipt-firewall/main_ipv6.conf register: mail_user_ports_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "mail_user_ports_ipv6_present.rc > 1" changed_when: "mail_user_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mail_user_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_mail_server_ips' block: | # - Client Ports used by local Mail Services # - # - comma separated list # - mail_user_ports="$standard_mailuser_ports" marker: "# Marker set by modify-ipt-server.yml (mail_user_ports)" when: - main_ipv6_exists.stat.exists - mail_user_ports_ipv6_present is changed # --- # ftp_passive_port_range # --- - name: Check if String 'ftp_passive_port_range=..' is present shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv4.conf register: ftp_passive_port_range_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "ftp_passive_port_range_ipv4_present.rc > 1" changed_when: "ftp_passive_port_range_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ftp_passive_port_range) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_ftp_server_ips' block: | # - FTP passive port range use by local ftp service(s) # - # - example: ftp_passive_port_range="50000:50400" # - ftp_passive_port_range="50000:50400" marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" when: - main_ipv4_exists.stat.exists - ftp_passive_port_range_ipv4_present is changed - name: Check if String 'ftp_passive_port_range=..' is present shell: grep -q -E "^ftp_passive_port_range=" /etc/ipt-firewall/main_ipv6.conf register: ftp_passive_port_range_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "ftp_passive_port_range_ipv6_present.rc > 1" changed_when: "ftp_passive_port_range_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ftp_passive_port_range) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_ftp_server_ips' block: | # - FTP passive port range use by local ftp service(s) # - # - example: ftp_passive_port_range="50000:50400" # - ftp_passive_port_range="50000:50400" marker: "# Marker set by modify-ipt-server.yml (ftp_passive_port_range)" when: - main_ipv6_exists.stat.exists - ftp_passive_port_range_ipv6_present is changed # --- # munin_remote_port # --- - name: Check if String 'munin_remote_port=..' is present shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv4.conf register: munin_remote_port_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "munin_remote_port_ipv4_present.rc > 1" changed_when: "munin_remote_port_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (munin_remote_port) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_munin_server_ips' block: | # - Port used by clients hosted on this (local) Munin Services # - # - !! Only one port is possible !! # - munin_remote_port="$standard_munin_port" marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" when: - main_ipv4_exists.stat.exists - munin_remote_port_ipv4_present is changed - name: Check if String 'munin_remote_port=..' is present shell: grep -q -E "^munin_remote_port=" /etc/ipt-firewall/main_ipv6.conf register: munin_remote_port_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "munin_remote_port_ipv6_present.rc > 1" changed_when: "munin_remote_port_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (munin_remote_port) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_munin_server_ips' block: | # - Ports used by clients hosted on this (local) Munin Services # - # - !! Only one port is possible !! # - munin_remote_port="$standard_munin_port" marker: "# Marker set by modify-ipt-server.yml (munin_remote_port)" when: - main_ipv6_exists.stat.exists - munin_remote_port_ipv6_present is changed # --- # xymon_port # --- - name: Check if String 'xymon_port=..' is present shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv4.conf register: xymon_port_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "xymon_port_ipv4_present.rc > 1" changed_when: "xymon_port_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (xymon_port) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*local_xymon_client' block: | # - Port used by local Xymon Services # - # - !! Only one port is possible !! # - xymon_port="$standard_xymon_port" marker: "# Marker set by modify-ipt-server.yml (xymon_port)" when: - main_ipv4_exists.stat.exists - xymon_port_ipv4_present is changed - name: Check if String 'xymon_port=..' is present shell: grep -q -E "^xymon_port=" /etc/ipt-firewall/main_ipv6.conf register: xymon_port_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "xymon_port_ipv6_present.rc > 1" changed_when: "xymon_port_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (xymon_port) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*local_xymon_client' block: | # - Port used by local Xymon Services # - # - !! Only one port is possible !! # - xymon_port="$standard_xymon_port" marker: "# Marker set by modify-ipt-server.yml (xymon_port)" when: - main_ipv6_exists.stat.exists - xymon_port_ipv6_present is changed # --- # mumble_ports # --- - name: Check if String 'mumble_ports=..' is present shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv4.conf register: mumble_ports_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "mumble_ports_ipv4_present.rc > 1" changed_when: "mumble_ports_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (mumble_ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*forward_mumble_server_ips' block: | # - Ports used by local Mumble Services # - # - comma separated list # - mumble_ports="$standard_mumble_port" marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" when: - main_ipv4_exists.stat.exists - mumble_ports_ipv4_present is changed - name: Check if String 'mumble_ports=..' is present shell: grep -q -E "^mumble_ports=" /etc/ipt-firewall/main_ipv6.conf register: mumble_ports_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "mumble_ports_ipv6_present.rc > 1" changed_when: "mumble_ports_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (mumble_ports) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*forward_mumble_server_ips' block: | # - Ports used by local Mumble Services # - # - comma separated list # - mumble_ports="$standard_mumble_port" marker: "# Marker set by modify-ipt-server.yml (mumble_ports)" when: - main_ipv6_exists.stat.exists - mumble_ports_ipv6_present is changed # --- # jitsi video conference service # --- - name: Check if String 'jitsi_server_ips=..' (IPv4) is present shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv4.conf register: jitsi_service_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_service_ipv4_present.rc > 1" changed_when: "jitsi_service_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi service) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*mumble_ports' block: | # - Jitsi Video Conferencing Server # - jitsi_server_ips="" forward_jitsi_server_ips="" # - Jitsi (incomming) Ports # - # - comma separated list of ports/port ranges) # - jitsi_tcp_ports="$standard_jitsi_tcp_ports" jitsi_udp_port_range="$standard_jitsi_udp_port_range" marker: "# Marker set by modify-ipt-server.yml (jitsi service)" when: - main_ipv4_exists.stat.exists - jitsi_service_ipv4_present is changed - name: Check if String 'jitsi_server_ips=..' (IPv6) is present shell: grep -q -E "^jitsi_server_ips=" /etc/ipt-firewall/main_ipv6.conf register: jitsi_service_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_service_ipv6_present.rc > 1" changed_when: "jitsi_service_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*mumble_ports' block: | # - Jitsi Video Conferencing Server # - jitsi_server_ips="" forward_jitsi_server_ips="" # - Jitsi (incomming) Ports # - # - comma separated list of ports/port ranges) # - jitsi_tcp_ports="$standard_jitsi_tcp_ports" jitsi_udp_port_range="$standard_jitsi_udp_port_range" marker: "# Marker set by modify-ipt-server.yml (jitsi service)" when: - main_ipv6_exists.stat.exists - jitsi_service_ipv6_present is changed - name: Check if String 'jitsi_tcp_ports_out=..' (IPv4) is present shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv4.conf register: jitsi_tcp_ports_out_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 1" changed_when: "jitsi_tcp_ports_out_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi outgoing ports) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*jitsi_udp_port_range' block: | # - Jitsi (outgoing) Ports (STUN Services) # - jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" marker: "# Marker set by modify-ipt-server.yml (jitsi outgoing ports)" when: - main_ipv4_exists.stat.exists - jitsi_tcp_ports_out_ipv4_present is changed - name: Check if String 'jitsi_tcp_ports_out=..' (IPv6) is present shell: grep -q -E "^jitsi_tcp_ports_out=" /etc/ipt-firewall/main_ipv6.conf register: jitsi_tcp_ports_out_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 1" changed_when: "jitsi_tcp_ports_out_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*jitsi_udp_port_range' block: | # - Jitsi (outgoing) Ports (STUN Services) # - jitsi_tcp_ports_out="$standard_turn_service_ports,4443,4444,4445,4446" jitsi_udp_ports_out="$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446" marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot)" when: - main_ipv6_exists.stat.exists - jitsi_tcp_ports_out_ipv6_present is changed - name: Check if String 'jitsi_dovecot_auth=..' (IPv4) is present shell: grep -q -E "^jitsi_dovecot_auth=" /etc/ipt-firewall/main_ipv4.conf register: jitsi_dovecot_auth_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_dovecot_auth_ipv4_present.rc > 1" changed_when: "jitsi_dovecot_auth_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi dovecot auth) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*jitsi_udp_ports_out' block: | # - Jitsi Dovecot Authentication # - jitsi_dovecot_auth=false jitsi_dovecot_host="" jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" when: - main_ipv4_exists.stat.exists - jitsi_dovecot_auth_ipv4_present is changed - name: Check if String 'jitsi_dovecot_auth=..' (IPv6) is present shell: grep -q -E "^jitsi_dovecot_auth=" /etc/ipt-firewall/main_ipv6.conf register: jitsi_dovecot_auth_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_dovecot_auth_ipv6_present.rc > 1" changed_when: "jitsi_dovecot_auth_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi dovecot auth) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*jitsi_udp_ports_out' block: | # - Jitsi Dovecot Authentication # - jitsi_dovecot_auth=false jitsi_dovecot_host="" jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" when: - main_ipv6_exists.stat.exists - jitsi_dovecot_auth_ipv6_present is changed - name: Check if String 'jitsi_jibri_remote_auth=..' (IPv4) is present shell: grep -q -E "^jitsi_jibri_remote_auth=" /etc/ipt-firewall/main_ipv4.conf register: jitsi_jibri_remote_auth_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_jibri_remote_auth_ipv4_present.rc > 1" changed_when: "jitsi_jibri_remote_auth_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (jitsi dovecot auth) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*jitsi_dovecot_port' block: | # - Jibri extern Client Recording / Streamin # - jitsi_jibri_remote_auth=false # - Remote Jibri servers # - # - blank separated list of ipv4 addresses # - jitsi_jibri_remote_ips="" jitsi_jibri_remote_auth_port="$default_jibri_out_port" # - Jibri Recording / Streaming Service # - # - blank separated list of ipv4 addresse # - jibri_server_ips="" # - blank separated list of ipv4 addresse # - forward_jibri_server_ips="" jibri_remote_jitsi_server="" jibri_remote_auth_port="$default_jibri_out_port" marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" when: - main_ipv4_exists.stat.exists - jitsi_jibri_remote_auth_ipv4_present is changed - name: Check if String 'jitsi_jibri_remote_auth=..' (IPv6) is present shell: grep -q -E "^jitsi_jibri_remote_auth=" /etc/ipt-firewall/main_ipv6.conf register: jitsi_jibri_remote_auth_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "jitsi_jibri_remote_auth_ipv6_present.rc > 1" changed_when: "jitsi_jibri_remote_auth_ipv6_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi dovecot auth) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*jitsi_dovecot_port' block: | # - Jitsi Dovecot Authentication # - jitsi_dovecot_auth=false jitsi_dovecot_host="" jitsi_dovecot_port="$default_jitsi_dovecout_auth_port" marker: "# Marker set by modify-ipt-server.yml (jitsi dovecot auth)" when: - main_ipv6_exists.stat.exists - jitsi_jibri_remote_auth_ipv6_present is changed # --- # TURN Server (Stun Server) (for Nextcloud 'talk' app) # --- - name: Check if String 'nc_turn_server_ips=..' (IPv4) is present shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv4.conf register: nc_turn_service_ipv4_present when: main_ipv4_exists.stat.exists failed_when: "nc_turn_service_ipv4_present.rc > 1" changed_when: "nc_turn_service_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (nc's turn service) blockinfile: path: /etc/ipt-firewall/main_ipv4.conf insertafter: '^#?\s*jitsi_dovecot_port' block: | # - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - nc_turn_server_ips="" forward_nc_turn_server_ips="" # - Ports used by local TURN Server (Stun Server) # - # - comma separated list # - nc_turn_ports="$standard_turn_service_ports" nc_turn_udp_ports="$standard_turn_service_udp_ports" marker: "# Marker set by modify-ipt-server.yml (nc's turn service)" when: - main_ipv4_exists.stat.exists - nc_turn_service_ipv4_present is changed - name: Check if String 'nc_turn_server_ips=..' (IPv6) is present shell: grep -q -E "^nc_turn_server_ips=" /etc/ipt-firewall/main_ipv6.conf register: nc_turn_service_ipv6_present when: main_ipv4_exists.stat.exists failed_when: "nc_turn_service_ipv4_present.rc > 1" changed_when: "nc_turn_service_ipv4_present.rc > 0" - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (jitsi service) blockinfile: path: /etc/ipt-firewall/main_ipv6.conf insertafter: '^#?\s*jitsi_dovecot_port' block: | # - TURN Server (Stun Server) (for Nextcloud 'talk' app) # - nc_turn_server_ips="" forward_nc_turn_server_ips="" # - Ports used by local TURN Server (Stun Server) # - # - comma separated list # - nc_turn_ports="$standard_turn_service_ports" nc_turn_udp_ports="$standard_turn_service_udp_ports" marker: "# Marker set by modify-ipt-server.yml (jitsi service)" when: - main_ipv6_exists.stat.exists - nc_turn_service_ipv6_present is changed # --- # Remove Marker set by blockinfile # --- - name: Remove marker IPv4 replace : path: /etc/ipt-firewall/main_ipv4.conf regexp: "^# Marker set by modify-ipt-server.yml.*$" replace: "" register: marker_ipv4_removed #failed_when: "marker_ipv4_removed.rc > 1" #changed_when: "marker_ipv4_removed.rc < 1" when: - main_ipv4_exists.stat.exists - name: Remove marker IPv6 replace : path: /etc/ipt-firewall/main_ipv6.conf regexp: "^# Marker set by modify-ipt-server.yml.*$" replace: "" register: marker_ipv6_removed #failed_when: "marker_ipv6_removed.rc > 1" #changed_when: "marker_ipv6_removed.rc < 1" when: - main_ipv6_exists.stat.exists # --- # Confiuration Files # --- - name: Check if configuration files are latest shell: 'diff {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} > /dev/null 2>&1' changed_when: "diff_script_output.rc > 0" # diff_output.rc # 0 -> unchanged # 1 -> changed # 2 -> not present failed_when: "diff_script_output.rc > 2" when: git_firewall_repository is defined and git_firewall_repository > 0 loop: - default_ports.conf - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - post_decalrations.conf register: diff_script_output - name: Ensure configuration files are latest command: cp {{ git_firewall_repository.dest }}/conf/{{ item }} /etc/ipt-firewall/{{ item }} loop: - default_ports.conf - include_functions.conf - load_modules_ipv4.conf - load_modules_ipv6.conf - logging_ipv4.conf - logging_ipv6.conf - post_decalrations.conf when: - git_firewall_repository is defined and git_firewall_repository > 0 - diff_script_output.changed notify: - Restart IPv4 Firewall - Restart IPv6 Firewall # --- # Firewall scripts # --- - name: Check if firewall scripts are latest shell: 'diff {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} > /dev/null 2>&1' changed_when: "diff_script_output.rc > 0" # diff_output.rc # 0 -> unchanged # 1 -> changed # 2 -> not present failed_when: "diff_script_output.rc > 2" when: git_firewall_repository is defined and git_firewall_repository > 0 loop: - ipt-firewall-server - ip6t-firewall-server register: diff_script_output - name: Ensure firewall scripts are latest command: cp {{ git_firewall_repository.dest }}/{{ item }} /usr/local/sbin/{{ item }} loop: - ipt-firewall-server - ip6t-firewall-server when: - git_firewall_repository is defined and git_firewall_repository > 0 - diff_script_output.changed notify: - Restart IPv4 Firewall - Restart IPv6 Firewall