--- # --- # vars used by roles/network_interfaces # --- # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted network_manage_devices: True # Should the interfaces be reloaded after config change? network_interface_reload: False network_interface_path: /etc/network/interfaces.d network_interface_required_packages: - vlan - bridge-utils - ifmetric - ifupdown - ifenslave network_interfaces: - device: eth1 headline: eth1 - Uplink DSL Altenschlirf via (static) line to Fritz!Box 7590 auto: true family: inet method: static address: 172.16.10.1 netmask: 24 gateway: 172.16.10.254 #nameservers: # - 192.168.10.1 # - 192.168.10.3 #search: ga.netz - device: eth2 headline: eth2 - LAN main network Altenschlirf auto: true family: inet method: static address: 192.168.10.254 netmask: 24 post-up: # - VLAN 221 (Ubiquiti UniFi Accesspoints) - /sbin/ip link add link eth2 name eth2.221 type vlan id 221 - device: eth2:ns headline: eth2:ns - Alias on eth2 (Nameserver) auto: true family: inet method: static address: 192.168.10.1 netmask: 32 - device: eth2:ap headline: eth2:ap - Alias on eth2 (Network Accesspoints) auto: true family: inet method: static address: 10.122.1.254 netmask: 24 post-up: # - Wireless Networks routed through appropriate Accesspoints # - - /sbin/ip route add 10.123.1.0/24 via 10.122.1.1 - /sbin/ip route add 10.123.2.0/24 via 10.122.1.2 - /sbin/ip route add 10.123.3.0/24 via 10.122.1.3 - /sbin/ip route add 10.123.4.0/24 via 10.122.1.4 - /sbin/ip route add 10.123.5.0/24 via 10.122.1.5 - /sbin/ip route add 10.123.6.0/24 via 10.122.1.6 - /sbin/ip route add 10.123.7.0/24 via 10.122.1.7 - /sbin/ip route add 10.123.8.0/24 via 10.122.1.8 - /sbin/ip route add 10.123.9.0/24 via 10.122.1.9 - /sbin/ip route add 10.123.10.0/24 via 10.122.1.10 - /sbin/ip route add 10.123.11.0/24 via 10.122.1.11 - /sbin/ip route add 10.123.12.0/24 via 10.122.1.12 - /sbin/ip route add 10.123.13.0/24 via 10.122.1.13 - /sbin/ip route add 10.123.14.0/24 via 10.122.1.14 - /sbin/ip route add 10.123.15.0/24 via 10.122.1.15 - device: eth2.221 # use only once per device (for the first device entry) headline: eth2 - VLAN 221 (Ubiquiti UniFi Accesspoints) # auto & allow are only used for the first device entry allow: [] # array of allow-[stanzas] eg. allow-hotplug auto: true family: inet method: static #hwaddress: 0c:c4:7a:7d:51:46 description: address: 10.221.15.254 netmask: 20 gateway: metric: pointopoint: mtu: scope: # additional user by dhcp method # hostname: leasehours: leasetime: vendor: client: # additional used by bootp method # bootfile: server: hwaddr: # optional dns settings nameservers: [] # # nameservers: # - 194.150.168.168 # dns.as250.net # - 91.239.100.100 # anycast.censurfridns.dk # search: warenform.de # nameservers: [] # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' # - '192.168.124.11/32' # optional bridge parameters bridge: {} # bridge: # ports: # stp: # fd: # maxwait: # waitport: bridge: {} # optional bonding parameters bond: {} # bond: # master # primary # slave # method: # miimon: # lacp-rate: # ad-select-rate: # master: # slaves: bond: {} # optional vlan settings | vlan: {} # vlan: {} # raw-device: 'eth0' vlan: {} # inline hook scripts pre-up: [] # pre-up script lines up: [] post-up: [] # post-up script lines (alias for up) pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines post-down: [] # post-down script lines - device: eth3 headline: eth3 - LAN - Uplink static line (radio) to Stockausen auto: true family: inet method: static address: 172.16.111.253 netmask: 24 post-up: - /sbin/ip route add 172.16.211.0/24 via 172.16.111.254 # User Networks Stockhausen - /sbin/ip route add 192.168.11.0/24 via 172.16.111.254 - /sbin/ip route add 192.168.78.0/24 via 172.16.111.254 # User Network Novalishaus - /sbin/ip route add 192.168.81.0/24 via 172.16.111.254 # Management Network Stockhausen - /sbin/ip route add 10.10.11.0/24 via 172.16.111.254 # Depreated Management Network Stokhausen - /sbin/ip route add 10.10.9.0/24 via 172.16.111.254 # IPMI Stockhausen - /sbin/ip route add 10.11.11.0/24 via 172.16.111.254 # WLan Router Stockhausen - /sbin/ip route add 10.112.1.0/24 via 172.16.111.254 # WLan Netz - /sbin/ip route add 10.113.0.0/16 via 172.16.111.254 # Unifi WLan Netz Stockhausen - /sbin/ip route add 10.121.0.0/20 via 172.16.111.254 # Richtfunkantennen Stockhausen (2) / Schlechtenwegen / Kirschbaumhaus - /sbin/ip route add 10.10.111.0/24 via 172.16.111.254 # VPN Netz Stockhausen - Novalishaus (Schlechtenwegen) - /sbin/ip route add 10.2.81.0/24 via 172.16.111.254 # VPN Home Stockhause - /sbin/ip route add 10.0.11.0/24 via 172.16.111.254 # - FritzBoxen Stockhausen - /sbin/ip route add 172.16.11.0/24 via 172.16.111.254 - /sbin/ip route add 172.16.12.0/24 via 172.16.111.254 - /sbin/ip route add 172.16.13.0/24 via 172.16.111.254 # - FritzBox Novalishaus - /sbin/ip route add 172.16.80.0/24 via 172.16.111.254 # - DigitBox Novalishaus - /sbin/ip route add 172.16.81.0/24 via 172.16.111.254 - device: eth4 headline: eth4 - Management Network Altenschlirf auto: true family: inet method: static address: 10.10.10.254 netmask: 24 - device: eth5 headline: eth5 - Network Telefons Altenschlirf auto: true family: inet method: static address: 172.16.210.254 netmask: 24 # --- # vars used by roles/ansible_dependencies # --- # --- # vars used by roles/ansible_user # --- # --- # vars used by roles/common/tasks/basic.yml # --- # --- # vars used by roles/common/tasks/sshd.yml # --- # --- # vars used by roles/common/tasks/apt.yml # --- # --- # vars used by roles/common/tasks/systemd-resolved.yml # --- systemd_resolved: true # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie # Primäre DNS-Adresse: 38.132.106.139 # Sekundäre DNS-Adresse: 194.187.251.67 # # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen # primäre DNS-Adresse # IPv4: 1.1.1.1 # IPv6: 2606:4700:4700::1111 # sekundäre DNS-Adresse # IPv4: 1.0.0.1 # IPv6: 2606:4700:4700::1001 # # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit # primäre DNS-Adresse # IPv4: 8.8.8.8 # IPv6: 2001:4860:4860::8888 # sekundäre DNS-Adresse # IPv4: 8.8.4.4 # IPv6: 2001:4860:4860::8844 # # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug # primäre DNS-Adresse # IPv4: 9.9.9.9 # IPv6: 2620:fe::fe # sekundäre DNS-Adresse # IPv4: 149.112.112.112 # IPv6: 2620:fe::9 # # OpenNIC - https://www.opennic.org/ # IPv4: 195.10.195.195 - ns31.de # IPv4: 94.16.114.254 - ns28.de # IPv4: 51.254.162.59 - ns9.de # IPv4: 194.36.144.87 - ns29.de # IPv6: 2a00:f826:8:2::195 - ns31.de # # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) # IPv4: 5.1.66.255 # IPv6: 2001:678:e68:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # IPv4: 185.150.99.255 # IPv6: 2001:678:ed0:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) resolved_nameserver: - 127.0.0.1 # search domains # # If there are more than one search domains, then specify them here in the order in which # the resolver should also search them # #resolved_domains: [] resolved_domains: - ~. - ga.netz - ga.intra resolved_dnssec: false # dns.as250.net: 194.150.168.168 # resolved_fallback_nameserver: - 192.168.11.1 # --- # vars used by roles/common/tasks/cron.yml # --- cron_user_special_time_entries: - name: "Restart NTP service 'ntpsec'" special_time: reboot job: "sleep 15 ; /bin/systemctl restart ntpsec" insertafter: PATH # --- # vars used by roles/common/tasks/users.yml # --- insert_ssh_keypair_backup_server: false ssh_keypair_backup_server: - name: backup backup_user: back priv_key_src: root/.ssh/id_rsa.backup.oopen.de priv_key_dest: /root/.ssh/id_rsa pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub pub_key_dest: /root/.ssh/id_rsa.pub insert_keypair_backup_client: true ssh_keypair_backup_client: - name: backup priv_key_src: root/.ssh/id_ed25519.oopen-server priv_key_dest: /root/.ssh/id_ed25519 pub_key_src: root/.ssh/id_ed25519.oopen-server.pub pub_key_dest: /root/.ssh/id_ed25519.pub target: backup.oopen.de default_user: - name: chris password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: maadmin password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' - name: wadmin password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - name: sysadm user_id: 1050 group_id: 1050 group: sysadm password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - name: back user_id: 1060 group_id: 1060 group: back password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' sudo_users: - chris - sysadm - maadmin - wadmin # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- # --- # vars used by roles/common/tasks/webadmin-user.yml # --- # --- # vars used by roles/common/tasks/sudoers.yml # --- # # see: roles/common/tasks/vars # --- # vars used by roles/common/tasks/caching-nameserver.yml # --- install_bind_packages: true bind9_gateway_acl: - local-net: name: local-net entries: - 127.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - 10.0.0.0/8 - fc00::/7 - fe80::/10 - ::1/128 - internaldns: name: internaldns entries: - '# Nameserver Gateway Stockhausen' - 192.168.11.1 - '# Domain Controller Stockhausen' - 192.168.10.3 - '# Nameserver Gateway Altenschlirf' - 192.168.10.1 - '# Domain Controller Altenschlirf' - 192.168.10.3 - 192.168.10.6 - 172.16.0.1 - '# Nameserver Gateway Novalishaus' - 192.168.81.1 - 10.2.11.2 - '# Nameserver wolle' - 10.113.12.3 - '# Postfix Mailserver' - 192.168.11.2 - '# Mail Relay System' - 192.168.10.2 bind9_gateway_listen_on_v6: - none bind9_gateway_listen_on: - any #bind9_gateway_allow_transfer: {} bind9_gateway_allow_transfer: - none bind9_transfer_source: !!str "192.168.10.1" bind9_notify_source: !!str "192.168.10.1" #bind9_gateway_allow_query: {} bind9_gateway_allow_query: - local-net #bind9_gateway_allow_query_cache: {} bind9_gateway_allow_query_cache: - local-net bind9_gateway_recursion: !!str "yes" #bind9_gateway_allow_recursion: {} bind9_gateway_allow_recursion: - local-net # --- # vars used by roles/common/tasks/git.yml # --- git_firewall_repository: name: ipt-gateway repo: https://git.oopen.de/firewall/ipt-gateway dest: /usr/local/src/ipt-gateway # ============================== # --- # vars used by scripts/reset_root_passwd.yml # --- root_user: name: root password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.