285 lines
6.8 KiB
YAML
285 lines
6.8 KiB
YAML
---
|
|
|
|
# ---
|
|
# vars used by roles/ansible_dependencies
|
|
# ---
|
|
|
|
|
|
# ---
|
|
# vars used by roles/ansible_user
|
|
# ---
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/basic.yml
|
|
# ---
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/sshd.yml
|
|
# ---
|
|
|
|
sshd_permit_root_login: !!str "prohibit-password"
|
|
|
|
sshd_hostkeyalgorithms:
|
|
- ssh-ed25519
|
|
- ssh-ed25519-cert-v01@openssh.com
|
|
- rsa-sha2-256
|
|
- rsa-sha2-512
|
|
- ecdsa-sha2-nistp256
|
|
- rsa-sha2-256-cert-v01@openssh.com
|
|
- rsa-sha2-512-cert-v01@openssh.com
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/apt.yml
|
|
# ---
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/systemd-resolved.yml
|
|
# ---
|
|
|
|
systemd_resolved: true
|
|
|
|
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
|
|
# Primäre DNS-Adresse: 38.132.106.139
|
|
# Sekundäre DNS-Adresse: 194.187.251.67
|
|
#
|
|
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
|
|
# primäre DNS-Adresse
|
|
# IPv4: 1.1.1.1
|
|
# IPv6: 2606:4700:4700::1111
|
|
# sekundäre DNS-Adresse
|
|
# IPv4: 1.0.0.1
|
|
# IPv6: 2606:4700:4700::1001
|
|
#
|
|
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
|
|
# primäre DNS-Adresse
|
|
# IPv4: 8.8.8.8
|
|
# IPv6: 2001:4860:4860::8888
|
|
# sekundäre DNS-Adresse
|
|
# IPv4: 8.8.4.4
|
|
# IPv6: 2001:4860:4860::8844
|
|
#
|
|
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
|
|
# primäre DNS-Adresse
|
|
# IPv4: 9.9.9.9
|
|
# IPv6: 2620:fe::fe
|
|
# sekundäre DNS-Adresse
|
|
# IPv4: 149.112.112.112
|
|
# IPv6: 2620:fe::9
|
|
#
|
|
# OpenNIC - https://www.opennic.org/
|
|
# IPv4: 195.10.195.195 - ns31.de
|
|
# IPv4: 94.16.114.254 - ns28.de
|
|
# IPv4: 51.254.162.59 - ns9.de
|
|
# IPv4: 194.36.144.87 - ns29.de
|
|
# IPv6: 2a00:f826:8:2::195 - ns31.de
|
|
#
|
|
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
|
|
# IPv4: 5.1.66.255
|
|
# IPv6: 2001:678:e68:f000::
|
|
# Servername für DNS-over-TLS: dot.ffmuc.net
|
|
# IPv4: 185.150.99.255
|
|
# IPv6: 2001:678:ed0:f000::
|
|
# Servername für DNS-over-TLS: dot.ffmuc.net
|
|
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
|
|
resolved_nameserver:
|
|
- 127.0.0.1
|
|
|
|
# search domains
|
|
#
|
|
# If there are more than one search domains, then specify them here in the order in which
|
|
# the resolver should also search them
|
|
#
|
|
#resolved_domains: []
|
|
resolved_domains:
|
|
- ~.
|
|
- kanzlei-kiel.netz
|
|
|
|
resolved_dnssec: false
|
|
|
|
# dns.as250.net: 194.150.168.168
|
|
#
|
|
resolved_fallback_nameserver:
|
|
- 194.150.168.168
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/cron.yml
|
|
# ---
|
|
|
|
cron_user_special_time_entries:
|
|
|
|
- name: "Restart NTP service 'ntpsec'"
|
|
special_time: reboot
|
|
job: "sleep 15 ; /bin/systemctl restart ntpsec"
|
|
insertafter: PATH
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/users.yml
|
|
# ---
|
|
|
|
insert_ssh_keypair_backup_server: false
|
|
ssh_keypair_backup_server:
|
|
- name: backup
|
|
backup_user: back
|
|
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
|
|
priv_key_dest: /root/.ssh/id_rsa
|
|
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
|
|
pub_key_dest: /root/.ssh/id_rsa.pub
|
|
|
|
insert_keypair_backup_client: true
|
|
ssh_keypair_backup_client:
|
|
- name: backup
|
|
priv_key_src: root/.ssh/id_ed25519.oopen-server
|
|
priv_key_dest: /root/.ssh/id_ed25519
|
|
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
|
|
pub_key_dest: /root/.ssh/id_ed25519.pub
|
|
target: backup.oopen.de
|
|
|
|
default_user:
|
|
|
|
- name: chris
|
|
password: $y$j9T$t0OK33lTuB/3TME5h/GHn.$4EjhvjhelkpUB2vqWPBdDCV3xCwBcJHpDobTkkuHxy.
|
|
shell: /bin/bash
|
|
ssh_keys:
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
|
|
|
- name: sysadm
|
|
user_id: 1050
|
|
group_id: 1050
|
|
group: sysadm
|
|
password: $y$j9T$1X6iXiYz2fIQcfKWSSzno1$9Uos8SGn/8V3oHWwiR6kaRPfUuIrxKP8kRNUZ1.da3/
|
|
shell: /bin/bash
|
|
ssh_keys:
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
|
|
|
- name: localadmin
|
|
user_id: 1051
|
|
group_id: 1051
|
|
password: $y$j9T$bqr.c39mSZOjjhVo/qmM2.$riPJ81SHLqfJMQ6/ZdeWNP7ma8R5nehI9mo5K8oUkw1
|
|
shell: /bin/bash
|
|
ssh_keys:
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
|
|
|
- name: back
|
|
user_id: 1060
|
|
group_id: 1060
|
|
group: back
|
|
password: $y$j9T$uYqbl2A6vQ6WsLinzhUfG0$/w02iPud/LURbhY19DGtKWgKNFTpNEP7J.jOu5CZPh.
|
|
shell: /bin/bash
|
|
ssh_keys:
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
|
|
|
- name: borg
|
|
user_id: 1065
|
|
group_id: 1065
|
|
group: borg
|
|
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
|
|
shell: /bin/bash
|
|
ssh_keys:
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
|
|
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
|
|
|
|
sudo_users:
|
|
- chris
|
|
- localadmin
|
|
- sysadm
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/users-systemfiles.yml
|
|
# ---
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/webadmin-user.yml
|
|
# ---
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/sudoers.yml
|
|
# ---
|
|
#
|
|
# see: roles/common/tasks/vars
|
|
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/caching-nameserver.yml
|
|
# ---
|
|
|
|
install_bind_packages: true
|
|
|
|
|
|
bind9_gateway_acl:
|
|
- local-net:
|
|
name: local-net
|
|
entries:
|
|
- 127.0.0.0/8
|
|
- 172.16.0.0/12
|
|
- 192.168.0.0/16
|
|
- 10.0.0.0/8
|
|
- fc00::/7
|
|
- fe80::/10
|
|
- ::1/128
|
|
- internaldns:
|
|
name: internaldns
|
|
entries:
|
|
- '// Nameserver Kanzlei EBS'
|
|
- 192.168.182.1
|
|
- '// lokal Nameserver Domän controler'
|
|
- 192.168.100.30
|
|
|
|
bind9_gateway_listen_on_v6:
|
|
- none
|
|
|
|
bind9_gateway_listen_on:
|
|
- any
|
|
|
|
#bind9_gateway_allow_transfer: {}
|
|
bind9_gateway_allow_transfer:
|
|
- internaldns
|
|
|
|
bind9_transfer_source: !!str "192.168.100.1"
|
|
bind9_notify_source: !!str "192.168.100.1"
|
|
|
|
#bind9_gateway_allow_query: {}
|
|
bind9_gateway_allow_query:
|
|
- local-net
|
|
|
|
#bind9_gateway_allow_query_cache: {}
|
|
bind9_gateway_allow_query_cache:
|
|
- local-net
|
|
|
|
bind9_gateway_recursion: !!str "yes"
|
|
#bind9_gateway_allow_recursion: {}
|
|
bind9_gateway_allow_recursion:
|
|
- local-net
|
|
|
|
# ---
|
|
# vars used by roles/common/tasks/git.yml
|
|
# ---
|
|
|
|
git_firewall_repository:
|
|
name: ipt-gateway
|
|
repo: https://git.oopen.de/firewall/ipt-gateway
|
|
dest: /usr/local/src/ipt-gateway
|
|
|
|
# ==============================
|
|
|
|
|
|
# ---
|
|
# vars used by scripts/reset_root_passwd.yml
|
|
# ---
|
|
|
|
root_user:
|
|
name: root
|
|
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
|
|
|