oopen-server/host_vars/37.27.121.218.yml
2024-11-17 01:30:15 +01:00

524 lines
13 KiB
YAML

---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
# Many device configurations are possible (as many as needed)
#
- device: enp6s0
# use only once per device (for the first device entry)
headline: enp6s0 - primary device
# auto & allow are only used for the first entry of that devicei-name)
#
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
# The statisc Mode
# Options
# address <dotted quad address[/netmask]>
# gateway <dotted quad address>
# pointopoint <Address of other end point (dotted quad). Note the spelling of "point-to">
# hwaddress <mac-address>
# mtu <size>
# scope <Address validity scope. Possible values: global, link, host>
#
# The manual Method
# Options
# hwaddress <mac-address>
# mtu <size>
#
# The dhcp Method
# Options
# hwaddress <mac-address>
# hostname <Hostname to be requested (pump, dhcpcd, udhcpc)>
# metric <metric>
# leasehours <Preferred lease time in hours (pump)>
# leasetime <Preferred lease time in seconds (dhcpcd)>
# vendor <Vendor class identifier (dhcpcd)>
# client <Client identifier (dhcpcd), or "no" (dhclient)>
#
# The bootp Method
# Options
# bootfile: <file: Tell the server to use 'file' as the bootfile.>
# server: <address: Use the IP address 'address' to communicate with the server.>
# hwaddr <mac-address: Use addr as the hardware address instead of whatever it really is.>
#
method: static
hwaddress:
description:
address: 37.27.129.85
# dotted quad or number of bits
#
# the entry will be: address/netmask
netmask: 26
gateway: 37.27.129.65
metric:
pointopoint:
mtu:
scope:
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 185.12.64.1
# - a01:4ff:ff00::add:2
#search:
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge: {}
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# mode:
# miimon:
# lacp-rate:
# ad-select-rate:
# master:
# slaves:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
#
# example:
#
# up:
# - !!str "route add -net 135.181.79.192 netmask 255.255.255.192 gw 135.181.79.193 dev enp6s0"
#
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 37.27.129.64 netmask 255.255.255.192 gw 37.27.129.65 dev enp6s0"
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: enp6s0
# use only once per device (for the first device entry)
headline:
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto:
family: inet6
method: static
address: 2a01:4f9:3071:1141::2
netmask: 64
gateway: fe80::1
metric:
pointopoint:
mtu:
scope:
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
search:
# optional additional subnets/ips subnets: []
# subnets:
# - '192.168.123.0/24'
# - '192.168.124.11/32'
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge: {}
# optional bonding parameters bond: {}
# bond:
# mode:
# miimon:
# master:
# slaves:
# lacp-rate:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: []# pre-up script lines
up: [] # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
#apt_manage_sources_list: false
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/mysql/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
cron_user_entries:
- name: "Remote Borg Backup"
minute: '04'
hour: '00'
job: /root/crontab/backup-rborg/rborg.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check connectifity - reboot if needed"
minute: '*/10'
hour: '*'
job: /root/bin/admin-stuff/check-connectivity.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if NTP service 'ntpsec' is up and running?"
minute: '*/30'
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
# - name: "Backup internet hosts and then print out hdd-usage for all backuped hosts"
# minute: '16'
# hour: '00'
# weekday: '1-6'
# job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N
#
# - name: "On sunday morning also determin diskspace usage"
# minute: '16'
# hour: '00'
# weekday: 7
# job: /root/crontab/backup-rcopy/rcopy.sh -B ; /root/crontab/backup-rcopy/rcopy.sh -N ; /root/bin/admin-stuff/disk-space_usage.sh -q -o /root/disk-space_usage /backup
#
# - name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
# minute: '23'
# hour: '05'
# job: /var/lib/dehydrated/cron/dehydrated_cron.sh
#
# - name: "Check whether all certificates are included in the VHOST configurations"
# minute: '33'
# hour: '05'
# job: /var/lib/dehydrated/tools/update_ssl_directives.sh
- name: "Check hard disc usage."
minute: '43'
hour: '6'
job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
# ---
# vars used by roles/common/tasks/users.yml
# ---
create_sftp_group: true
default_user:
- name: chris
password: $y$j9T$t0OK33lTuB/3TME5h/GHn.$4EjhvjhelkpUB2vqWPBdDCV3xCwBcJHpDobTkkuHxy.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$LIF1RrShGDGdCXkUubRPR/$N8M5c/dhBdJkJrLP3/Lchyosjg0FxaQ2M4epvuzTI78
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
password: $y$j9T$bqr.c39mSZOjjhVo/qmM2.$riPJ81SHLqfJMQ6/ZdeWNP7ma8R5nehI9mo5K8oUkw1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$uYqbl2A6vQ6WsLinzhUfG0$/w02iPud/LURbhY19DGtKWgKNFTpNEP7J.jOu5CZPh.
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: borg
user_id: 1065
group_id: 1065
group: borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
extra_system_user:
- name: www-data
home: /var/www
groups: sftp_users
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.