--- # --- # vars used by roles/network_interfaces # --- # If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted network_manage_devices: True # Should the interfaces be reloaded after config change? network_interface_reload: False network_interface_path: /etc/network/interfaces.d network_interface_required_packages: - vlan - bridge-utils - ifmetric - ifupdown - ifenslave network_interfaces: - device: enp6s0 # use only once per device (for the first device entry) headline: enp6s0 - primary network interface # auto & allow are only used for the first device entry allow: [] # array of allow-[stanzas] eg. allow-hotplug auto: true family: inet method: static hwaddress: description: address: 65.109.158.101 netmask: 26 gateway: 65.109.158.65 metric: pointopoint: mtu: scope: # additional user by dhcp method # hostname: leasehours: leasetime: vendor: client: # additional used by bootp method # bootfile: server: hwaddr: # optional dns settings nameservers: [] # # nameservers: # - 194.150.168.168 # dns.as250.net # - 91.239.100.100 # anycast.censurfridns.dk # search: warenform.de # #nameservers: # - 127.0.0.1 # - 185.12.64.2 # - 2a01:4ff:ff00::add:1 #search: # optional additional subnets/ips subnets: [] # subnets: # - '192.168.123.0/24' # - '192.168.124.11/32' # optional bridge parameters bridge: {} # bridge: # ports: # stp: # fd: # maxwait: # waitport: bridge: {} # optional bonding parameters bond: {} # bond: # master # primary # slave # method: # miimon: # lacp-rate: # ad-select-rate: # master: # slaves: bond: {} # optional vlan settings | vlan: {} # vlan: {} # raw-device: 'enp6s0' vlan: {} # inline hook scripts pre-up: [] # pre-up script lines up: - route add -net 65.109.158.64 netmask 255.255.255.192 gw 65.109.158.65 dev enp6s0 post-up: [] # post-up script lines (alias for up) pre-down: [] # pre-down script lines (alias for down) down: [] # down script lines post-down: [] # post-down script lines - device: enp6s0 family: inet6 method: static address: 2a01:4f9:3080:155d::2 netmask: 64 gateway: fe80::1 # --- # vars used by roles/ansible_dependencies # --- # --- # vars used by roles/ansible_user # --- # --- # vars used by roles/common/tasks/basic.yml # --- # --- # vars used by roles/common/tasks/sshd.yml # --- # --- # vars used by roles/common/tasks/apt.yml # --- # --- # vars used by roles/common/tasks/systemd-resolved.yml # --- systemd_resolved: true # CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie # Primäre DNS-Adresse: 38.132.106.139 # Sekundäre DNS-Adresse: 194.187.251.67 # # Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen # primäre DNS-Adresse # IPv4: 1.1.1.1 # IPv6: 2606:4700:4700::1111 # sekundäre DNS-Adresse # IPv4: 1.0.0.1 # IPv6: 2606:4700:4700::1001 # # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit # primäre DNS-Adresse # IPv4: 8.8.8.8 # IPv6: 2001:4860:4860::8888 # sekundäre DNS-Adresse # IPv4: 8.8.4.4 # IPv6: 2001:4860:4860::8844 # # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug # primäre DNS-Adresse # IPv4: 9.9.9.9 # IPv6: 2620:fe::fe # sekundäre DNS-Adresse # IPv4: 149.112.112.112 # IPv6: 2620:fe::9 # # OpenNIC - https://www.opennic.org/ # IPv4: 195.10.195.195 - ns31.de # IPv4: 94.16.114.254 - ns28.de # IPv4: 51.254.162.59 - ns9.de # IPv4: 194.36.144.87 - ns29.de # IPv6: 2a00:f826:8:2::195 - ns31.de # # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) # IPv4: 5.1.66.255 # IPv6: 2001:678:e68:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # IPv4: 185.150.99.255 # IPv6: 2001:678:ed0:f000:: # Servername für DNS-over-TLS: dot.ffmuc.net # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) resolved_nameserver: - 213.133.100.100 - 195.201.179.131 - 95.217.204.204 - 213.133.98.98 # search domains # # If there are more than one search domains, then specify them here in the order in which # the resolver should also search them # #resolved_domains: [] resolved_domains: - ~. - oopen.de resolved_dnssec: false # dns.as250.net: 194.150.168.168 # resolved_fallback_nameserver: - 194.150.168.168 # --- # vars used by roles/common/tasks/cron.yml # --- cron_env_entries: - name: PATH job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - name: SHELL job: /bin/bash insertafter: PATH cron_user_special_time_entries: - name: "Restart NTP service 'ntpsec'" special_time: reboot job: "sleep 2 ; /bin/systemctl restart ntpsec" insertafter: PATH - name: "Restart DNS Cache service 'systemd-resolved'" special_time: reboot job: "sleep 5 ; /bin/systemctl restart systemd-resolved" insertafter: PATH - name: "Check if postfix mailservice is running. Restart service if needed." special_time: reboot job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" insertafter: PATH cron_user_entries: - name: "Check if webservices sre running. Restart if necessary" minute: '*/5' hour: '*' job: /root/bin/monitoring/check_webservice_load.sh - name: "Check if SSH service is running. Restart service if needed." minute: '*/10' hour: '*' job: /root/bin/monitoring/check_ssh.sh - name: "Check connectifity - reboot if needed" minute: '*/10' hour: '*' job: /root/bin/admin-stuff/check-connectivity.sh - name: "Check if Postfix Mailservice is up and running?" minute: '*/15' hour: '*' job: /root/bin/monitoring/check_postfix.sh - name: "Check Postfix E-Mail LOG file for 'fatal' errors.." minute: '*/5' hour: '*' job: /root/bin/postfix/check-postfix-fatal-errors.sh - name: "Optimize mysql tables" minute: '53' hour: '04' job: /root/bin/mysql/optimize_mysql_tables.sh - name: "Flush query cache for mysql tables" minute: '27' hour: '04' job: /root/bin/mysql/flush_query_cache.sh - name: "Flush Host cache" minute: '17' hour: '05' job: /root/bin/mysql/flush_host_cache.sh - name: "Run occ file:scan for each cloud account" minute: '03' hour: '23' job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.verband-brg.de - name: "Background job for nextcloud instance 'cloud.verband-brg.de" minute: '*/15' hour: '*' job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.verband-brg.de/htdocs/cron.php - name: "Check if certificates for coolwsd service are up to date" minute: '17' hour: '05' job: /root/bin/nextcloud/check_cert_coolwsd.sh - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)" minute: '23' hour: '05' job: /var/lib/dehydrated/cron/dehydrated_cron.sh - name: "Check whether all certificates are included in the VHOST configurations" minute: '33' hour: '05' job: /var/lib/dehydrated/tools/update_ssl_directives.sh - name: "Check hard disc usage." minute: '43' hour: '6' job: /root/bin/admin-stuff/check-disc-usage.sh -c 85 # --- # vars used by roles/common/tasks/users.yml # --- default_user: - name: chris password: $y$j9T$4tHDBpAXsLybUcR3EkGsN1$FztD35vOLJ2wkdcMMyWVjx7H6vCYAXK2Sik9RVx6iF6 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: sysadm user_id: 1050 group_id: 1050 group: sysadm password: $y$j9T$yvoukGb.97d5zHhCyfsi81$AmUW40NQhF4guOF95AZ/wU52SxmU8pviyqTOKgssLJB shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: localadmin user_id: 1051 group_id: 1051 password: $y$j9T$jS87fYUjhgghnH3Z46quc1$Kc7ywLGc2XidgYNCT3J/cVy5.2JEATyB0oAwxzE92L7 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - name: back user_id: 1060 group_id: 1060 group: back password: $y$j9T$Q3MnSpKzmdfYWzmQVheWu/$7RcNMpDKF5aln1hk.5ReYfKSNUeRxfOj1yaHmo6YH95 shell: /bin/bash ssh_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' sudo_users: - chris - sysadm - localadmin # --- # vars used by roles/common/tasks/users-systemfiles.yml # --- # --- # vars used by roles/common/tasks/webadmin-user.yml # --- # --- # vars used by roles/common/tasks/sudoers.yml # --- # # see: roles/common/tasks/vars sudoers_file_user_privileges: - name: back entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php' # --- # vars used by roles/common/tasks/caching-nameserver.yml # --- # --- # vars used by roles/common/tasks/git.yml # --- git_firewall_repository: name: ipt-server repo: https://git.oopen.de/firewall/ipt-server dest: /usr/local/src/ipt-server # ============================== # --- # vars used by scripts/reset_root_passwd.yml # --- root_user: name: root password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.