--- # --- # vars used by roles/network_interfaces # --- # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted network_manage_devices: True # Should the interfaces be reloaded after config change? network_interface_reload: False network_interface_path: /etc/network/interfaces.d network_interface_required_packages: - vlan - bridge-utils - ifmetric - ifupdown - ifenslave network_interfaces: - device: eth2 headline: eth2 - Uplink static line (radio) to Altenschlirf auto: true family: inet method: static address: 172.16.111.254 netmask: 24 up: # - For management Antennas - /sbin/ip link add link eth2 name eth2.111 type vlan id 111 post-up: # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) # - # - Telefon Altenshlirf - /sbin/ip route add 172.16.210.0/24 via 172.16.111.253 # User Network Altenshlirf - /sbin/ip route add 192.168.10.0/24 via 172.16.111.253 # Management Network Altenschlirf - /sbin/ip route add 10.10.10.0/24 via 172.16.111.253 # WLan Router (Accesspoints) Altenshlirf - /sbin/ip route add 10.122.1.0/24 via 172.16.111.253 # # WLan Networks Altenshlirf - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 # DSL via Fritzbox Altenschlirf - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 # - WLAN Gemeinschaft Altenschlirf (Unifi routet Network) - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 # VPN home Network Altenschlirf # - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 # private networks 'ckubu' # # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), # so we route them back to that gateway.. - /sbin/ip route add 192.168.63.0/24 via 172.16.111.253 - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 - device: eth2.111 headline: eth2.111 - network 10.10.111.0 (management antennas) auto: true family: inet method: static address: 10.10.111.254 netmask: 24 - device: eth8 headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen auto: false family: inet method: manual up: - /sbin/ip link add link eth8 name eth8.211 type vlan id 211 - device: eth8.211 headline: eth8.211 - Network Telefons Stockhausen auto: true family: inet method: static # Note: # !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon). # This LANCom Router IS NOT pngable !! address: 172.16.211.1 netmask: 24 pre-up: - /sbin/ifconfig eth8 up - device: eth9 headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) auto: true family: inet method: static address: 172.16.11.1 netmask: 24 gateway: 172.16.11.254 - device: eth10 headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 auto: true family: inet method: static address: 172.16.13.1 netmask: 24 gateway: 172.16.13.254 - device: eth11 headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) auto: true family: inet method: static address: 172.16.12.1 netmask: 24 gateway: 172.16.12.254 # ---------- # Note: Install the 'ifenslave' package, necessary to enable bonding: # # apt-get install ifenslave # ---------- - device: bond0 headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4 auto: true family: inet method: static address: 10.1.9.254 netmask: 24 bond: slaves: eth0 eth4 # Mode 4 (802.3ad) # # also possible here: # - Mode 5: balance-tlb # - Mode 6: balance-alb mode: 4 miimon: 100 lacp-rate: 1 ad-select: count downdelay: 200 updelay: 200 post-up: # VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24 - /sbin/ip link add link bond0 name bond0.11 type vlan id 11 # VLAN 78 for network Georgshaus 192.168.78.0/24 - /sbin/ip link add link bond0 name bond0.78 type vlan id 78 - device: bond0.11 headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen) auto: true family: inet method: static address: 10.10.11.254 netmask: 24 - device: bond0.78 headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?) auto: true family: inet method: static address: 192.168.78.254 netmask: 24 # ---------- # Note: Install the 'ifenslave' package, necessary to enable bonding: # # apt-get install ifenslave # ---------- - device: bond1 headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen auto: true family: inet method: static address: 192.168.11.254 netmask: 24 nameservers: - 192.168.11.1 - 192.168.10.3 search: ga.netz ga.intra bond: slaves: eth1 eth5 # Mode 4 (802.3ad) # # also possible here: # - Mode 5: balance-tlb # - Mode 6: balance-alb mode: 4 miimon: 100 lacp-rate: 1 ad-select: count downdelay: 200 updelay: 200 post-up: # VLAN 121 - for Ubiquiti UniFi Accesspoints - /sbin/ip link add link bond1 name bond1.121 type vlan id 121 # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests - /sbin/ip link add link bond1 name bond1.131 type vlan id 131 # Route ??? - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 - device: bond1.121 headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints auto: true family: inet method: static address: 10.121.15.254 netmask: 20 - device: bond1.131 headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints Guest Net auto: true family: inet method: static address: 10.131.15.254 netmask: 20 - device: bond1:ns headline: bond1:ns - Alias IP on bond1 device for Nameservice auto: true family: inet method: static address: 192.168.11.1 netmask: 32 - device: bond1:1 headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network auto: true family: inet method: static address: 10.10.9.254 netmask: 24 - device: bond1:ap headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints auto: true family: inet method: static address: 10.112.1.254 netmask: 24 post-up: # - Wireless Networks routed through appropriate Accesspoints # - - /sbin/ip route add 10.113.1.0/24 via 10.112.1.1 - /sbin/ip route add 10.113.2.0/24 via 10.112.1.2 - /sbin/ip route add 10.113.3.0/24 via 10.112.1.3 - /sbin/ip route add 10.113.4.0/24 via 10.112.1.4 - /sbin/ip route add 10.113.5.0/24 via 10.112.1.5 - /sbin/ip route add 10.113.6.0/24 via 10.112.1.6 - /sbin/ip route add 10.113.7.0/24 via 10.112.1.7 - /sbin/ip route add 10.113.8.0/24 via 10.112.1.8 - /sbin/ip route add 10.113.9.0/24 via 10.112.1.9 - /sbin/ip route add 10.113.10.0/24 via 10.112.1.10 - /sbin/ip route add 10.113.11.0/24 via 10.112.1.11 - /sbin/ip route add 10.113.12.0/24 via 10.112.1.12 - /sbin/ip route add 10.113.13.0/24 via 10.112.1.13 - /sbin/ip route add 10.113.14.0/24 via 10.112.1.14 - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 - device: bond1:ipmi headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen auto: true family: inet method: static address: 10.11.11.254 netmask: 24 # --- # vars used by roles/ansible_dependencies # --- # --- # vars used by roles/ansible_user # --- # --- # vars used by roles/common/tasks/basic.yml # --- # --- # vars used by roles/common/tasks/sshd.yml # --- # --- # vars used by roles/common/tasks/apt.yml # --- # --- # vars used by roles/common/tasks/systemd-resolved.yml # --- systemd_resolved: true # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie # Primäre DNS-Adresse: 38.132.106.139 # Sekundäre DNS-Adresse: 194.187.251.67 # # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen # primäre DNS-Adresse # IPv4: 1.1.1.1 # IPv6: 2606:4700:4700::1111 # sekundäre DNS-Adresse # IPv4: 1.0.0.1 # IPv6: 2606:4700:4700::1001 # # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit # primäre DNS-Adresse # IPv4: 8.8.8.8 # IPv6: 2001:4860:4860::8888 # sekundäre DNS-Adresse # IPv4: 8.8.4.4 # IPv6: 2001:4860:4860::8844 # # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug # primäre DNS-Adresse # IPv4: 9.9.9.9 # IPv6: 2620:fe::fe # sekundäre DNS-Adresse # IPv4: 149.112.112.112 # IPv6: 2620:fe::9 # # OpenNIC - https://www.opennic.org/ # IPv4: 195.10.195.195 - ns31.de # IPv4: 94.16.114.254 - ns28.de # IPv4: 51.254.162.59 - ns9.de # IPv4: 194.36.144.87 - ns29.de # IPv6: 2a00:f826:8:2::195 - ns31.de # # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) # IPv4: 5.1.66.255 # IPv6: 2001:678:e68:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # IPv4: 185.150.99.255 # IPv6: 2001:678:ed0:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) resolved_nameserver: - 127.0.0.1 # search domains # # If there are more than one search domains, then specify them here in the order in which # the resolver should also search them # #resolved_domains: [] resolved_domains: - ~. - ga.netz - ga.intra resolved_dnssec: false # dns.as250.net: 194.150.168.168 # resolved_fallback_nameserver: - 192.168.10.1 # --- # vars used by roles/common/tasks/cron.yml # --- cron_user_special_time_entries: - name: "Restart NTP service 'ntpsec'" special_time: reboot job: "sleep 15 ; /bin/systemctl restart ntpsec" insertafter: PATH # --- # vars used by roles/common/tasks/users.yml # --- insert_ssh_keypair_backup_server: false ssh_keypair_backup_server: - name: backup backup_user: back priv_key_src: root/.ssh/id_rsa.backup.oopen.de priv_key_dest: /root/.ssh/id_rsa pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub pub_key_dest: /root/.ssh/id_rsa.pub insert_keypair_backup_client: true ssh_keypair_backup_client: - name: backup priv_key_src: root/.ssh/id_ed25519.oopen-server priv_key_dest: /root/.ssh/id_ed25519 pub_key_src: root/.ssh/id_ed25519.oopen-server.pub pub_key_dest: /root/.ssh/id_ed25519.pub target: backup.oopen.de default_user: - name: chris password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: maadmin password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' - name: wadmin password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - name: sysadm user_id: 1050 group_id: 1050 group: sysadm password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1' - name: back user_id: 1060 group_id: 1060 group: back password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' sudo_users: - chris - sysadm - maadmin - wadmin # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- # --- # vars used by roles/common/tasks/webadmin-user.yml # --- # --- # vars used by roles/common/tasks/sudoers.yml # --- # # see: roles/common/tasks/vars # --- # vars used by roles/common/tasks/caching-nameserver.yml # --- install_bind_packages: true bind9_gateway_acl: - local-net: name: local-net entries: - 127.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 - 10.0.0.0/8 - fc00::/7 - fe80::/10 - ::1/128 - internaldns: name: internaldns entries: - '# Nameserver Gateway Stockhausen' - 192.168.11.1 - '# Domain Controller Stockhausen' - 192.168.10.3 - '# Nameserver Gateway Altenschlirf' - 192.168.10.1 - '# Domain Controller Altenschlirf' - 192.168.10.3 - 192.168.10.6 - 172.16.0.1 - '# Nameserver Gateway Novalishaus' - 192.168.81.1 - 10.2.11.2 - '# Nameserver wolle' - 10.113.12.3 - '# Postfix Mailserver' - 192.168.11.2 - '# Mail Relay System' - 192.168.10.2 bind9_gateway_listen_on_v6: - none bind9_gateway_listen_on: - any #bind9_gateway_allow_transfer: {} bind9_gateway_allow_transfer: - internaldns bind9_transfer_source: !!str "192.168.11.1" bind9_notify_source: !!str "192.168.11.1" #bind9_gateway_allow_query: {} bind9_gateway_allow_query: - local-net #bind9_gateway_allow_query_cache: {} bind9_gateway_allow_query_cache: - local-net bind9_gateway_recursion: !!str "yes" #bind9_gateway_allow_recursion: {} bind9_gateway_allow_recursion: - local-net # --- # vars used by roles/common/tasks/git.yml # --- git_firewall_repository: name: ipt-gateway repo: https://git.oopen.de/firewall/ipt-gateway dest: /usr/local/src/ipt-gateway # ============================== # --- # vars used by scripts/reset_root_passwd.yml # --- root_user: name: root password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.