--- # --- # vars used by roles/ansible_dependencies # --- apt_ansible_dependencies: - python - python-apt - python3 - python3-apt - lsb-release - apt-transport-https - dbus - sudo - vim - net-tools - vlan - ca-certificates - openssl - mc - software-properties-common # --- # vars used by roles/ansible_user # --- ansible_remote_user: - name: chris password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. shell: /bin/bash ssh_keys: - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyWbdnjnN/xfy1F6kPbsRXp8zvJEh8uHfTZuZKyaRV/iRuhsvqRiDB+AhUAlIaPwgQ8itaI6t5hijD+sZf+2oXXbNy3hkOHTrCDKCoVAWfMRKPuA1m8RqS4ZXXgayaeCzVnPEq6UrC5z0wO/XBwAktT37RRSQ/Hq2zCHy36NQEQYrhF3+ytX7ayb10pJAMVGRctYmr5YnLEVMSIREbPxZTNc80H1zqNPVJwYZhl8Ox61U4MoNhJmJwbKWPRPZsJpbTh9W2EU37tdwRBVQP6yxhua3TR6C7JnNPVY0IK23BYlNtQEDY4PHcIuewkamEWpP0+jhEjtwy1TqjRPdU/y+2uQjC6FSOVMsSPxgd8mw4cSsfp+Ard7P+YOevUXD81+jFZ3Wz0PRXbWMWAm2OCe7n8jVvkXMz+KxSYtrsvKNw1WugJq1z//bJNMTK6ISWpqaXDevGYQRJJ8dPbMmbey40WpS5CA/l29P7fj/cOl59w3LZGshrMOm7lVz9qysVV0ylfE3OpfKCGitkpY0Asw4lSkuLHoNZnDo6I5/ulRuKi6gsLk27LO5LYS8Zm1VOis/qHk1Gg1+QY47C4RzdTUxlU1CGesPIiQ1uUX2Z4bD7ebTrrOuEFcmNs3Wu5nif21Qq0ELEWhWby6ChFrbFHPn+hWlDwNM0Nr11ftwg0+sqVw== root@luna' # --- # vars used by roles/common/tasks/basic.yml # --- time_zone: Europe/Berlin locales: - en_US.UTF-8 - de_DE.UTF-8 set_default_limit_nofile: false # --- # vars used by apt.yml # --- apt_manage_sources_list: true apt_src_enable: true apt_backports_enable: true apt_debian_mirror: http://ftp.de.debian.org/debian/ apt_debian_contrib_nonfree_enable: true # Ubuntu mirror apt_ubuntu_mirror: http://archive.ubuntu.com/ubuntu apt_update_cache_valid_time: 3600 apt_upgrade: true apt_update: true apt_clean: true apt_autoremove: true apt_dpkg_configure: true apt_upgrade_type: dist apt_upgrade_dpkg_options: - force-confdef - force-confold apt_initial_install_stretch: - apt-transport-https - dbus - openssh-server - rssh - vim - vim-common - vim-doc - mc - screen - tmux - bc - figlet - rcconf - sudo - rsync - dselect - iputils-ping - apt-utils - aptitude - zip - unzip - bzip2 - arj - locate - curl - gawk - mawk - lynx - links - w3m - exuberant-ctags - mime-support - file - coreutils - moreutils - less - realpath - sipcalc - psmisc - dnsutils - rblcheck - whois - gettext - gettext-base - gettext-doc - debian-keyring - patch - patchutils - recode - recode-doc - librecode0 - librecode-dev - sharutils - perl - perl-modules-5.24 - perl-doc - libperl-dev - libterm-readline-gnu-perl - libterm-readline-perl-perl - libterm-readkey-perl - libmail-imapclient-perl - libtime-duration-perl - libtimedate-perl - libwww-perl - libpcre3 - libreadline5 - re2c - util-linux - parted - lshw - gdisk - smartmontools - tcpdump - telnet - unhide - lsof - hdparm - groff - iproute2 - bridge-utils - vlan - ethtool - wipe - iperf - mtr - iptraf - wget - logrotate - rsyslog - haveged - rdate - ntpdate - wipe - man-db - groff - iptables - shellcheck - ssl-cert - ssl-cert-check - git - ftp - htop - net-tools - lsb-release - attr - acl - quota - quotatool - needrestart - socat - zsh apt_initial_install_buster: - apt-transport-https - dbus - openssh-server - rush - vim - vim-common - vim-doc - mc - screen - tmux - bc - figlet - rcconf - sudo - rsync - dselect - iputils-ping - apt-utils - aptitude - zip - unzip - bzip2 - arj - locate - curl - gawk - mawk - lynx - links - w3m - ctags - mime-support - file - coreutils - moreutils - less - sipcalc - psmisc - dnsutils - rblcheck - whois - gettext - gettext-base - gettext-doc - debian-keyring - patch - patchutils - recode - recode-doc - librecode0 - librecode-dev - sharutils - perl - perl-modules-5.28 - perl-doc - libperl-dev - libterm-readline-gnu-perl - libterm-readline-perl-perl - libterm-readkey-perl - libmail-imapclient-perl - libtime-duration-perl - libtimedate-perl - libwww-perl - libpcre3 - libio-compress-perl - libreadline5 - re2c - util-linux - parted - lshw - gdisk - smartmontools - tcpdump - telnet - unhide - lsof - hdparm - groff - iproute2 - bridge-utils - vlan - ethtool - wipe - iperf - mtr - iptraf - wget - logrotate - rsyslog - haveged - rdate - ntpdate - wipe - man - groff - iptables - shellcheck - ssl-cert - ssl-cert-check - git - ftp - htop - net-tools - lsb-release - attr - acl - quota - quotatool - needrestart - socat - zsh apt_initial_install_xenial: - apt-transport-https - dbus - openssh-server - rush - vim - vim-common - vim-doc - mc - screen - tmux - bc - figlet - sudo - rsync - dselect - iputils-ping - apt-utils - aptitude - zip - unzip - bzip2 - arj - locate - curl - gawk - mawk - lynx - links - w3m - ctags - mime-support - file - coreutils - moreutils - less - sipcalc - psmisc - dnsutils - rblcheck - whois - gettext - gettext-base - gettext-doc - debian-keyring - patch - patchutils - recode - recode-doc - librecode0 - librecode-dev - sharutils - perl - perl-modules-5.22 - perl-doc - libperl-dev - libterm-readline-gnu-perl - libterm-readline-perl-perl - libterm-readkey-perl - libmail-imapclient-perl - libtime-duration-perl - libtimedate-perl - libwww-perl - libpcre3 - libio-compress-perl - libreadline5 - re2c - util-linux - parted - lshw - gdisk - smartmontools - tcpdump - telnet - unhide - lsof - hdparm - groff - iproute2 - bridge-utils - vlan - ethtool - wipe - iperf - mtr - iptraf - wget - logrotate - rsyslog - haveged - rdate - ntpdate - wipe - man - groff - iptables - shellcheck - ssl-cert - ssl-cert-check - git - ftp - htop - net-tools - lsb-release - attr - acl - quota - quotatool - needrestart - ifupdown - socat apt_initial_install_bionic: - apt-transport-https - dbus - openssh-server - rush - vim - vim-common - vim-doc - mc - screen - tmux - bc - figlet - sudo - rsync - dselect - iputils-ping - apt-utils - aptitude - zip - unzip - bzip2 - arj - locate - curl - gawk - mawk - lynx - links - w3m - ctags - mime-support - file - coreutils - moreutils - less - sipcalc - psmisc - dnsutils - rblcheck - whois - gettext - gettext-base - gettext-doc - debian-keyring - patch - patchutils - recode - recode-doc - librecode0 - librecode-dev - sharutils - perl - perl-modules-5.26 - perl-doc - libperl-dev - libterm-readline-gnu-perl - libterm-readline-perl-perl - libterm-readkey-perl - libmail-imapclient-perl - libtime-duration-perl - libtimedate-perl - libwww-perl - libpcre3 - libio-compress-perl - libreadline5 - re2c - util-linux - parted - lshw - gdisk - smartmontools - tcpdump - telnet - unhide - lsof - hdparm - groff - iproute2 - bridge-utils - vlan - ethtool - wipe - iperf - mtr - iptraf - wget - logrotate - rsyslog - haveged - rdate - ntpdate - wipe - man - groff - iptables - shellcheck - ssl-cert - ssl-cert-check - git - ftp - htop - net-tools - lsb-release - attr - acl - quota - quotatool - needrestart - ifupdown - socat apt_install_compiler_pkgs: false apt_compiler_pkgs: - g++ - g++-multilib - gcc - gcc-multilib - cpp - make - automake - autoconf - libtool - flex - bison - gettext - pkg-config - gnu-standards - libssl-dev - libreadline-dev - libncurses-dev - libsystemd-dev - libnss3-dev - python-dev apt_install_webserver_pkgs: false apt_webserver_pkgs: - libdb-dev - zlib1g - zlib1g-dev - libssl-dev - libneon27-dev - libxml2 - libxml2-dev - curl - libcurl4-openssl-dev - libqdbm-dev - libgdbm-dev - libpspell-dev - libjpeg-dev - libpng-dev - libxpm-dev - libfreetype6-dev - libwmf-dev - libtiff-dev - libpaper-dev - libmagic-dev - libgraphics-magick-perl - libgraphicsmagick++1-dev - libgraphicsmagick-q16-3 - libgraphicsmagick1-dev - libgraphviz-dev - libcroco3-dev - libgsf-1-dev - libilmbase-dev - libvpx-dev - vpx-tools - libgpm-dev - libkpathsea-dev - libopenexr-dev - librsvg2-dev - libdjvulibre-dev - libatm-dev - libexpat-dev - imagemagick - graphicsmagick - exif - libexiv2-dev - re2c - netpbm - libnetpbm10-dev - libmcrypt-dev - mcrypt - default-libmysqlclient-dev - libpq-dev - postgresql-client - libreadline-dev - libncurses-dev - libdb5.3 - libdb5.3++ - libdb5.3++-dev - libdb5.3-dev - libxslt1-dev - libpcre3-dev - libc-client2007e-dev - libc-client-dev - libicu-dev - libtidy-dev - libmm-dev - libgmp-dev - libkrb5-dev - libldap-dev - libmhash-dev - libgd-dev - liblua5.3-dev - libapr1-dev - libaprutil1-dev - libsctp-dev - libcrypto++-dev - ffmpeg - libmagickwand-dev - libgeoip-dev - libaio-dev - tk-dev - tcl-dev - tclreadline - expect - expect-dev - libexpect-perl apt_install_postgresql_pkgs: false apt_postgresql_pkgs: - postgresql apt_install_bind9_packages: false apt_bind9_pkgs: - bind9 apt_install_lxc_host_pkgs: false apt_lxc_host_pkgs: - bridge-utils - lxc - btrfs-tools - lua5.3 - ntp apt_install: {} apt_install_state: latest apt_remove: - rpcbind - apt-transport-tor - tor - tor-geoipdb - torsocks - netplan.io apt_remove_purge: false microcode_package: - intel-microcode - amd64-microcode # --- # vars used by roles/common/tasks/users.yml # --- insert_ssh_keypair_backup_server: false ssh_keypair_backup_server: [] insert_root_ssh_keypair: false root_ssh_keypair: [] default_user: [] extra_user: [] sudo_users: [] extra_system_user: [] create_sftp_group: false # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- # --- # vars used by roles/common/tasks/webadmin-user.yml # --- insert_webadmin_ssh_keypair: false webadmin_ssh_keypair: [] webadmin_user: [] # --- # vars used by roles/common/tasks/sshd.yml # --- sshd_ports: - 22 sshd_listen_address: - '::' - '0.0.0.0' sshd_host_keys: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_ed25519_key # only for debian version <= 9 # sshd_use_privilege_separation: !!str "sandbox" sshd_permit_root_login: !!str "no" sshd_authorized_keys_file: ".ssh/authorized_keys .ssh/authorized_keys2" sshd_pubkey_authentication: !!str "yes" sshd_password_authentication: !!str "no" sshd_use_pam: !!str "yes" sshd_print_motd: !!str "no" # sshd_kexalgorithms # # Example: # sshd_kexalgorithms: # - curve25519-sha256@libssh.org # - diffie-hellman-group-exchange-sha256 # - diffie-hellman-group14-sha1 # #sshd_kexalgorithms: {} sshd_kexalgorithms: - curve25519-sha256 - curve25519-sha256@libssh.org - diffie-hellman-group16-sha512 - diffie-hellman-group18-sha512 - diffie-hellman-group-exchange-sha256 # sshd__ciphers # # Example: # sshd_ciphers: # - chacha20-poly1305@openssh.com # - aes256-gcm@openssh.com # - aes256-ctr #sshd_ciphers: {} sshd_ciphers: - chacha20-poly1305@openssh.com - aes256-gcm@openssh.com - aes128-gcm@openssh.com - aes256-ctr - aes192-ctr - aes128-ctr #sshd_macs: {} sshd_macs: - hmac-sha2-256-etm@openssh.com - hmac-sha2-512-etm@openssh.com - umac-128-etm@openssh.com #sshd_hostkeyalgorithms: {} sshd_hostkeyalgorithms: - ssh-ed25519 - ssh-ed25519-cert-v01@openssh.com - rsa-sha2-256 - rsa-sha2-512 - rsa-sha2-256-cert-v01@openssh.com - rsa-sha2-512-cert-v01@openssh.com sshd_use_dns: !!str "no" sshd_allowed_users: {} sshd_gateway_ports: !!str "no" # --- # vars used by roles/common/tasks/sudoers.yml # --- # /etc/sudoers # sudoers_defaults: - env_reset - mail_badpass - 'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' sudoers_host_aliases: [] sudoers_user_aliases: [] sudoers_cmnd_aliases: [] sudoers_runas_aliases: [] sudoers_user_privileges: - name: root entry: 'ALL=(ALL:ALL) ALL' sudoers_group_privileges: [] sudoers_remove_user: - back - www-data # /etc/sudoers.d/50-user # sudoers_file_defaults: [] sudoers_file_host_aliases: [] sudoers_file_user_aliases: [] sudoers_file_cmnd_aliases: [] sudoers_file_runas_aliases: [] sudoers_file_user_back_privileges: - 'ALL=(root) NOPASSWD: /usr/bin/rsync' - 'ALL=(root) NOPASSWD: /usr/bin/find' - 'ALL=(root) NOPASSWD: /usr/bin/realpath' sudoers_file_user_back_postgres_privileges: - 'ALL=(postgres) NOPASSWD: /usr/bin/psql' - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dump' - 'ALL=(postgres) NOPASSWD: /usr/bin/pg_dumpall' sudoers_file_user_back_svn_privileges: [] sudoers_file_user_back_disk_privileges: - 'ALL=(root) NOPASSWD: /usr/bin/which' - 'ALL=(root) NOPASSWD: /sbin/hdparm -I /dev/*' - 'ALL=(root) NOPASSWD: /sbin/fdisk' - 'ALL=(root) NOPASSWD: /sbin/sgdisk' - 'ALL=(root) NOPASSWD: /sbin/sfdisk -d /dev/*' - 'ALL=(root) NOPASSWD: /bin/dd if=/dev/*' - 'ALL=(root) NOPASSWD: /sbin/parted' - 'ALL=(root) NOPASSWD: /sbin/gdisk' sudoers_file_user_webadmin_disk_privileges: - 'ALL=(root) NOPASSWD: /usr/bin/mailq' - 'ALL=(root) NOPASSWD: /usr/bin/tail' - 'ALL=(root) NOPASSWD: /usr/bin/view' sudoers_file_dns_server_privileges: - name: manage-bind entry: 'ALL=(root) NOPASSWD: /usr/local/bin/bind_*' - name: manage-bind entry: 'ALL=(root) NOPASSWD: /root/bin/bind/bind_*' - name: chris entry: 'ALL=(root) NOPASSWD: /root/bin/bind/*' sudoers_file_postfixadmin_privileges: - name: www-data entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-mailbox-postdeletion.sh' - name: www-data entry: 'ALL=(vmail)NOPASSWD: /usr/local/bin/postfixadmin-domain-postdeletion.sh' sudoers_file_user_privileges: [] sudoers_file_group_privileges: [] # --- # vars used by roles/common/tasks/caching-nameserver.yml # --- acl_caching_nameserver: {} # --- # vars used by roles/common/tasks/git.yml # --- # --- # Firewall repository # --- git_firewall_repository: {} # --- # all servers # --- git_default_repositories: # script repositories (destination /root/bin/) - name: admin-stuff repo: https://git.oopen.de/script/admin-stuff dest: /root/bin/admin-stuff - name: postfix repo: https://git.oopen.de/script/postfix dest: /root/bin/postfix # install repositories (destination: /usr/local/src/) - name: mailsystem repo: https://git.oopen.de/install/mailsystem dest: /usr/local/src/mailsystem # --- # group [oopen_server] # --- git_oopen_server_repositories: # firewall - name: ipt-server repo: https://git.oopen.de/firewall/ipt-server dest: /usr/local/src/ipt-server # --- # group [warenform_server] # --- git_warenform_server_repositories: # firewall - name: ipt-server repo: https://git.oopen.de/firewall/ipt-server dest: /usr/local/src/ipt-server # --- # group [lxc_host] # --- git_lxc_host_repositories: # Monitoring - name: monitoring repo: https://git.oopen.de/script/monitoring dest: /root/bin/monitoring # LXC - name: LXC repo: https://git.oopen.de/script/LXC dest: /root/bin/LXC # --- # group [lxc_guest] # --- git_lxc_guest_repositories: # dehydrated-cron - name: dehydrated-cron repo: https://git.codecoop.org/so36intern/dehydrated-cron.git dest: /usr/local/src/dehydrated-cron # Monitoring - name: monitoring repo: https://git.oopen.de/script/monitoring dest: /root/bin/monitoring # --- # group [gateway_server] # --- git_gateway_repositories: # firewall - name: ipt-gateway repo: https://git.oopen.de/firewall/ipt-gateway dest: /usr/local/src/ipt-gateway # --- # group [apache2_webserver] # --- git_apache2_repositories: # script repositories (destination /root/bin/) - name: apache2 repo: https://git.oopen.de/script/apache2 dest: /root/bin/apache2 # Monitoring - name: monitoring repo: https://git.oopen.de/script/monitoring dest: /root/bin/monitoring # install repositories (destination: /usr/local/src/) - name: apache2 repo: https://git.oopen.de/install/apache2 dest: /usr/local/src/apache2 - name: php repo: https://git.oopen.de/install/php dest: /usr/local/src/php # dehydrated-cron - name: dehydrated-cron repo: https://git.codecoop.org/so36intern/dehydrated-cron.git dest: /usr/local/src/dehydrated-cron # --- # group [nginx_webserver] # --- git_nginx_repositories: - name: nginx repo: https://git.oopen.de/install/nginx dest: /usr/local/src/nginx - name: php repo: https://git.oopen.de/install/php dest: /usr/local/src/php # --- # group [mysql_server] # --- git_mysql_repositories: # script repositories (destination /root/bin/) - name: mysql repo: https://git.oopen.de/script/mysql dest: /root/bin/mysql # install repositories (destination: /usr/local/src/) - name: mysql repo: https://git.oopen.de/install/mysql dest: /usr/local/src/mysql # --- # group [postgresql_server] # --- git_postgresql_repositories: # script repositories (destination /root/bin/) - name: postgres repo: https://git.oopen.de/script/postgres dest: /root/bin/postgres # --- # group [nextcloud_server] # --- git_nextcloud_repositories: # script repositories (destination /root/bin/) - name: nextcloud repo: https://git.oopen.de/script/nextcloud dest: /root/bin/nextcloud # install repositories (destination: /usr/local/src/) - name: nextcloud repo: https://git.oopen.de/install/nextcloud dest: /usr/local/src/nextcloud # --- # group [dns_server] # --- git_dns_repositories: # script repositories (destination /root/bin/) - name: bind repo: https://git.oopen.de/script/bind dest: /root/bin/bind # --- # group [backup_server] # --- git_backup_repositories: # script repositories (destination /root/bin/) - name: backup-rcopy repo: https://git.oopen.de/backup/backup-rcopy dest: /root/crontab/backup-rcopy # --- # group [samba_server] # --- git_samba_repositories: # script repositories (destination /root/bin/) - name: samba repo: https://git.oopen.de/script/samba dest: /root/bin/samba # --- # group [mail_server] # --- git_mailserver_repositories: # script repositories (destination /root/bin/) - name: apache2 repo: https://git.oopen.de/script/apache2 dest: /root/bin/apache2 - name: postfix repo: https://git.oopen.de/script/postfix dest: /root/bin/postfix - name: monitoring repo: https://git.oopen.de/script/monitoring dest: /root/bin/monitoring # install repositories (destination: /usr/local/src/) - name: apache2 repo: https://git.oopen.de/install/apache2 dest: /usr/local/src/apache2 - name: php repo: https://git.oopen.de/install/php dest: /usr/local/src/php - name: mysql repo: https://git.oopen.de/install/mysql dest: /usr/local/src/mysql - name: mailsystem repo: https://git.oopen.de/install/mailsystem dest: /usr/local/src/mailsystem - name: fail2ban repo: https://git.oopen.de/install/fail2ban dest: /usr/local/src/fail2ban # let's encrypt - name: dehydrated-cron repo: https://git.codecoop.org/so36intern/dehydrated-cron.git dest: /usr/local/src/dehydrated-cron # --- # group [sympa_list_servers] # --- git_sympa_repositories: # install repositories (destination: /usr/local/src/) - name: sympa repo: https://git.oopen.de/install/sympa dest: /usr/local/src/sympa # --- # group [jitsi_meet_server] # --- git_jitsi_meet_repositories: # install repositories (destination: /usr/local/src/) - name: sympa repo: https://git.oopen.de/install/jitsi dest: /usr/local/src/jitsi # --- # Use this for host specific repositories defined in files git-.yaml # # Leave empty here # --- git_other_repositories: [] # ============================== # --- # vars used by scripts/reset_root_passwd.yml # --- root_user: {}