ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ansible:3d3f950dadec352532e9079b279219784ad82d9e
Branches Tags
ansible:master
..
compare: ansible:master
Branches Tags
ansible:master

11 Commits
3d3f950dad ... master

Author SHA1 Message Date
Christoph
6bcc70e8e2 backup.oopen.de.yml: add host 'ga-gh-gw' 2025-12-01 14:14:03 +01:00
Christoph
96737dc01e zapata.opp.netz.yml: Add new user account. 2025-12-01 12:32:38 +01:00
Christoph
028b4aa253 Add DNS Server georgshaus to the trusted internal name servers. 2025-12-01 11:35:53 +01:00
Christoph
a18c127a31 add host gw-gh-gw; task chaching-nameservice must run befor task systemd-resolved. 2025-11-30 15:18:11 +01:00
Christoph
c229b3378d update.. 2025-11-30 00:09:16 +01:00
Christoph
24aeb45e92 update.. 2025-11-25 00:23:27 +01:00
Christoph
4c406279e9 git.yml: 'bool' in when clause is deprecated. 2025-11-09 16:54:40 +01:00
Christoph
12aaebf5d9 Add bootstrao and dependenciy script for debian 13 (trixie)'. 2025-11-09 16:05:36 +01:00
Christoph
42fc2cdf58 update.. 2025-10-27 23:16:48 +01:00
Christoph
c9f41f1232 update.. 2025-10-27 18:11:43 +01:00
Christoph
c82630ccf2 update.. 2025-10-27 17:27:13 +01:00
31 changed files with 1659 additions and 399 deletions
Expand all files Collapse all files

9
ansible-dependencies-trixie-sudo.yml
View File

@@ -1,8 +1,9 @@
---
- hosts: initial_setup
- name: Bootstrap & Abhängigkeiten für Ansible auf Debian/Trixie
hosts: all
become: true
gather_facts: false
roles:
- ansible_dependencies-trixie
- ansible_user_debian
- role: ansible_dependencies-trixie
- role: ansible_user_debian

8
ansible-dependencies-trixie-sudo.yml.00 Normal file
View File

@@ -0,0 +1,8 @@
---
- hosts: initial_setup
gather_facts: false
roles:
- ansible_dependencies-trixie
- ansible_user_debian

2
ansible-dependencies-trixie.yml
View File

@@ -1,6 +1,6 @@
---
- hosts: initial_setup
- hosts: Bootstrap & Abhängigkeiten für Ansible auf Debian/Trixie
remote_user: root
become: false
gather_facts: false

11
ansible.cfg
View File

@@ -10,7 +10,16 @@
[defaults]
ansible_managed = *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] ***
# [DEPRECATION WARNING] 'ansible_managed' used in ansible.cfg
#
# The `ansible_managed` variable can be set just like any other variable, or a different
# variable can be used.
#
# Alternatives: Set the `ansible_managed` variable, or use any custom variable in templates.
#
# This feature will be removed from ansible-core version 2.23.
#
#ansible_managed = *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] ***
# Use of 'ansible_managed'
#

121
apt-migrate-to-trixie.yml Normal file
View File

@@ -0,0 +1,121 @@
---
# ---
# deb822 ist das neue Konfigurationsformats für APT-Quellen (Repositories).
# Es basiert auf der Debian Control Syntax nach RFC 822 daher der Name
# ---
- name: Nur APT auf Debian 13 (Trixie) migrieren
hosts: all
become: true
gather_facts: true
vars:
target_release: trixie
debian_mirror: "http://deb.debian.org/debian"
security_mirror: "http://security.debian.org/debian-security"
components: "main contrib non-free non-free-firmware"
enable_backports: true # auf false setzen, wenn du keine Backports willst
pin_backports_low: true # Backports nur auf Anfrage
# Nur manuelle Installation/Upgrade aus Backports:
# backports_pin_priority: 100
#
# Automatische Updates für bereits installierte Backports-Pakete.
# backports_pin_priority: 500 (>= 500)
#
backports_pin_priority: 100 # 100 = nie automatisch bevorzugen
apt_cache_valid_time: 3600
# Für offizielle Debian-Repos brauchst es kein Signed-By, weil debian-archive-keyring
# ohnehin systemweit vertrauenswürdig ist.
#
use_signed_by: true # oder false, wenn du Option A willst
# Wenn Signed-By explizit gesetzt werden soll, dann nutze den Keyring-Pfad und stelle sicher,
# dass das Paket installiert ist.
signed_by_keyring: "/usr/share/keyrings/debian-archive-keyring.gpg"
pre_tasks:
- name: Sicherstellen, dass wir Debian sind
assert:
that:
- ansible_facts['os_family'] == "Debian"
fail_msg: "Dieses Playbook ist nur für Debian geeignet."
tasks:
- name: Keyring für Debian-Archive sicherstellen (falls Signed-By genutzt)
ansible.builtin.apt:
name: debian-archive-keyring
state: present
when: use_signed_by
- name: (Optional) Alte /etc/apt/sources.list sichern
ansible.builtin.copy:
src: /etc/apt/sources.list
dest: /etc/apt/sources.list.before-trixie
remote_src: true
force: false
ignore_errors: true
- name: Alte /etc/apt/sources.list deaktivieren (leere Kommentar-Datei)
ansible.builtin.copy:
dest: /etc/apt/sources.list
content: |
# Verwaltet via Ansible. Repositories liegen in /etc/apt/sources.list.d/*.sources (deb822).
# Zielrelease: {{ target_release }}
owner: root
group: root
mode: "0644"
- name: Debian-Repo (deb + deb-src) als deb822 anlegen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/debian.sources.j2
dest: /etc/apt/sources.list.d/debian.sources
owner: root
group: root
mode: "0644"
- name: Security-Repo (deb + deb-src) als deb822 anlegen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/security.sources.j2
dest: /etc/apt/sources.list.d/security.sources
owner: root
group: root
mode: "0644"
- name: Backports-Repo (optional) als deb822 anlegen/entfernen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/backports.sources.j2
dest: /etc/apt/sources.list.d/backports.sources
owner: root
group: root
mode: "0644"
when: enable_backports
- name: Backports-Repo entfernen wenn deaktiviert
ansible.builtin.file:
path: /etc/apt/sources.list.d/backports.sources
state: absent
when: not enable_backports
- name: Optionales Backports-Pinning setzen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/99-backports.j2
dest: /etc/apt/preferences.d/99-backports
owner: root
group: root
mode: "0644"
when: enable_backports and pin_backports_low
- name: APT-Cache aktualisieren
ansible.builtin.apt:
update_cache: yes
cache_valid_time: "{{ apt_cache_valid_time }}"
- name: Verifikation - zeigen, ob Suites auf trixie stehen
ansible.builtin.command: apt-cache policy
register: apt_policy
changed_when: false
- name: Ausgabe anzeigen (nur Info)
ansible.builtin.debug:
msg: "{{ apt_policy.stdout.split('\n') | select('search', 'trixie') | list | join('\n') }}"

173
files/homedirs/sysadm/_vimrc.BAK
View File

@@ -1,173 +0,0 @@
" An example for a vimrc file.
"
" Maintainer: Bram Moolenaar <Bram@vim.org>
" Last change: 1999 Sep 09
"
" To use it, copy it to
" for Unix and OS/2: ~/.vimrc
" for Amiga: s:.vimrc
" for MS-DOS and Win32: $VIM\_vimrc
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim
set nocompatible " Use Vim defaults (much better!)
set bs=2 " allow backspacing over everything in insert mode
set ai " always set autoindenting on
" set backup " keep a backup file
"set viminfo='20,\"50 " read/write a .viminfo file, don't store more
" than 50 lines of registers
set viminfo='20,\"50,:20,%,n~/.viminfo
set history=50 " keep 50 lines of command line history
set ruler " show the cursor position all the time
set ignorecase " suchen case-insenitiv
set showmatch " zeige passende klammern
set shell=/bin/bash " shell to start with !
set expandtab " tabs --> blanks
set showmode " anzeige INSERT/REPLACE/...
" set smartcase " Do smart case matching
set incsearch " Incremental search
" Start searching when you type the first character of
" the search string. As you type in more characters, the
" search is refined.
set t_Co=256 " To enable 256 colors in vim, put this your .vimrc before setting the colorscheme
" einrueckung
set shiftwidth=3
set tabstop=3
" Round indent to multiple of 'shiftwidth' for > and < commands
set shiftround
" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries
" let &guioptions = substitute(&guioptions, "t", "", "g")
" Don't use Ex mode, use Q for formatting
map Q gq
" Make p in isual Visual mode replace the selected text with the "" register.
vnoremap p <Esc>:let current_reg = @"<CR>gvdi<C-R>=current_reg<CR><Esc>
" Switch syntax highlighting on, when the terminal has colors
" Also switch on highlighting the last used search pattern.
if &t_Co > 2 || has("gui_running")
syntax on
set hlsearch
endif
" Only do this part when compiled with support for autocommands.
if has("autocmd")
" In text files, always limit the width of text to 78 characters
autocmd BufRead *.txt set tw=78
augroup cprog
" Remove all cprog autocommands
au!
" When starting to edit a file:
" For C and C++ files set formatting of comments and set C-indenting on.
" For other files switch it off.
" Don't change the order, it's important that the line with * comes first.
autocmd FileType * set formatoptions=tcql nocindent comments&
autocmd FileType c,cpp set formatoptions=croql cindent comments=sr:/*,mb:*,el:*/,://
augroup END
augroup gzip
" Remove all gzip autocommands
au!
" Enable editing of gzipped files
" set binary mode before reading the file
autocmd BufReadPre,FileReadPre *.gz,*.bz2 set bin
autocmd BufReadPost,FileReadPost *.gz call GZIP_read("gunzip")
autocmd BufReadPost,FileReadPost *.bz2 call GZIP_read("bunzip2")
autocmd BufWritePost,FileWritePost *.gz call GZIP_write("gzip")
autocmd BufWritePost,FileWritePost *.bz2 call GZIP_write("bzip2")
autocmd FileAppendPre *.gz call GZIP_appre("gunzip")
autocmd FileAppendPre *.bz2 call GZIP_appre("bunzip2")
autocmd FileAppendPost *.gz call GZIP_write("gzip")
autocmd FileAppendPost *.bz2 call GZIP_write("bzip2")
" After reading compressed file: Uncompress text in buffer with "cmd"
fun! GZIP_read(cmd)
let ch_save = &ch
set ch=2
execute "'[,']!" . a:cmd
set nobin
let &ch = ch_save
execute ":doautocmd BufReadPost " . expand("%:r")
endfun
" After writing compressed file: Compress written file with "cmd"
fun! GZIP_write(cmd)
if rename(expand("<afile>"), expand("<afile>:r")) == 0
execute "!" . a:cmd . " <afile>:r"
endif
endfun
" Before appending to compressed file: Uncompress file with "cmd"
fun! GZIP_appre(cmd)
execute "!" . a:cmd . " <afile>"
call rename(expand("<afile>:r"), expand("<afile>"))
endfun
augroup END
" This is disabled, because it changes the jumplist. Can't use CTRL-O to go
" back to positions in previous files more than once.
if 0
" When editing a file, always jump to the last cursor position.
" This must be after the uncompress commands.
autocmd BufReadPost * if line("'\"") && line("'\"") <= line("$") | exe "normal `\"" | endif
endif
endif " has("autocmd")
" toggle syntax highlighting
map <F12> :if exists("syntax_on") <Bar> syntax off <Bar> else <Bar> syntax on <Bar> endif <CR><ESC>
map <F11> :nohls <CR>
" use <F6> to toggle line numbers
nmap <silent> <F6> :set number!<CR>
" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark
" set color for search
hi clear search
hi search term=bold,reverse cterm=bold,reverse gui=bold,reverse
" set color for Comment
hi clear Comment
"highlight Comment term=bold cterm=bold ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=bold cterm=bold ctermfg=grey guifg=#80a0ff gui=bold
highlight Comment term=none cterm=none ctermfg=grey guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=177 guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=215 guifg=#80a0ff gui=bold
" Go back to the position the cursor was on the last time this file was edited
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")|execute("normal `\"")|endif
" visual shifting (does not exit Visual mode)
vnoremap < <gv
vnoremap > >gv
" Scroll when cursor gets within 3 characters of top/bottom edge
set scrolloff=3
" Show line, column number, and relative position within a file in the status line
" set statusline=%F%m%r%h%w\ [FORMAT=%{&ff}]\ [TYPE=%Y]\ [ASCII=\%03.3b]\ [HEX=\%02.2B]\ [POS=%04l,%04v][%p%%]\ [LEN=%L]
"set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)%(\|\ syntax:\ %{synIDattr(synID(line('.'),col('.'),0),'name')}%)\ \ %=line:\ %l/%L\ \|\ column:\ %c%V\ \|\ relative\:\ %p%%\
set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)\ \ %=line:\ %l/%L\ \|\ col:\ %c%V\ \|\ %p%%
" Always show status line, even for one window
set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue

419
ga-eh-gw.oopen.de.yml Normal file
View File

@@ -0,0 +1,419 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.80.1
netmask: 24
gateway: 172.16.80.254
#nameservers:
# - 192.168.81.1
# - 172.16.81.254
#search: ga.netz ga.intra
- device: eno2
headline: eno2 - Uplink Telekom (static line via digitbox)
auto: true
family: inet
method: static
address: 172.16.81.1
netmask: 24
gateway: 172.16.81.254
- device: eno5
headline: eno5 - LAN
auto: true
family: inet
method: static
address: 192.168.81.254
netmask: 24
post-up:
# VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET
- /sbin/ip link add link eno5 name eno5.21 type vlan id 21
# VLAN 331 - for Ubiquiti UniFi Accesspoints private NET
- /sbin/ip link add link eno5 name eno5.31 type vlan id 31
- device: eno5.21
headline: eno5 - VLAN 321 (Ubiquiti UniFi Accesspoints Guest NET)
auto: true
family: inet
method: static
address: 10.21.15.254
netmask: 20
- device: eno5.31
headline: eno5 - VLAN 331 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.31.15.254
netmask: 20
- device: eno5:ns
headline: eno5:ns - Alias on eno5 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.81.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if Postfix Mailservice is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: "*/30"
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: "0-59/2"
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: "09"
hour: "3"
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- none
bind9_transfer_source: !!str "192.168.81.1"
bind9_notify_source: !!str "192.168.81.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

11
group_vars/all/main.yml
View File

@@ -1,5 +1,14 @@
---
#ansible_managed: !!str " *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] ***"
ansible_managed: >
*** ANSIBLE MANAGED FILE - DO NOT EDIT ***
# This file was generated by {{ ansible_user_id }} on {{ ansible_date_time.iso8601 }}
# ---
# vars used by roles/ansible_dependencies
# ---
@@ -2935,6 +2944,8 @@ ipv6_address: ''
is_relay_host:
# support_dmarc_reporting:
# sasl_auth_enable:
#
# possible values are:

2
host_vars/a.mx.oopen.de.yml
View File

@@ -214,6 +214,8 @@ ipv6_address: 2a01:4f9:4a:47e5::247
admin_email: argus@oopen.de
is_relay_host: !!str "false"
support_dmarc_reporting: !!str "true"
db_in_use: !!str "true"
# postfix_db_type
#

1
host_vars/backup.oopen.de.yml
View File

@@ -280,6 +280,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMHxvK5kzKgypVi8ZvshveSpyo0eSXiBCnAC5Pcjdgv root@discourse'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy5WM1qsLE2SRwWG1Y38WJcMYUpL8MuQiraqiXfHzaH root@e.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvOkCWNKUJ5o9e+0NhY4IFZv8LA7tkkkEFjr8nqFKhe root@formbricks-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7KbEZApiqEcU4aK3A2J8hy+r1uV7TZupwm4CHGqLPH root@ga-gh-gw'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPbony+4g4iFS32Cv/Bkmet4FsCAsrGTffwWm2eM16x root@git.warenform'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICR9o0+6jnfmXKOedKP6IZgt5lRIPFSJJ4FbMjz2SPkH root@gw-campus'

1
host_vars/file-dissens.dissens.netz.yml
View File

@@ -423,6 +423,7 @@ samba_user:
- name: lino.koehler
groups:
- projekte
- team
password: '20.l1no-ko3hl3r_25/'
- name: maite.gabriel

8
host_vars/ga-al-gw.oopen.de.yml
View File

@@ -189,6 +189,8 @@ network_interfaces:
#- /sbin/ip route add 192.168.73.0/24 via 172.16.111.254
# User Network Novalishaus
- /sbin/ip route add 192.168.81.0/24 via 172.16.111.254
# User Network Georgshaus
- /sbin/ip route add 192.168.85.0/24 via 172.16.111.254
# Management Network Stockhausen
- /sbin/ip route add 10.10.11.0/24 via 172.16.111.254
# Depreated Management Network Stokhausen
@@ -213,7 +215,7 @@ network_interfaces:
- /sbin/ip route add 10.10.111.0/24 via 172.16.111.254
# VPN Netz Stockhausen - Novalishaus (Schlechtenwegen)
- /sbin/ip route add 10.2.81.0/24 via 172.16.111.254
# VPN Home Stockhause
# VPN Home Stockhausen
- /sbin/ip route add 10.0.11.0/24 via 172.16.111.254
# - FritzBoxen Stockhausen
- /sbin/ip route add 172.16.11.0/24 via 172.16.111.254
@@ -223,6 +225,8 @@ network_interfaces:
- /sbin/ip route add 172.16.80.0/24 via 172.16.111.254
# - DigitBox Novalishaus
- /sbin/ip route add 172.16.81.0/24 via 172.16.111.254
# - FritzBox georgshaus
- /sbin/ip route add 172.16.85.0/24 via 172.16.111.254
- device: eth4
@@ -425,6 +429,8 @@ bind9_gateway_acl:
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'

407
host_vars/ga-gh-gw.oopen.de.yml Normal file
View File

@@ -0,0 +1,407 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.85.1
netmask: 24
gateway: 172.16.85.254
- device: eno2
headline: eno2 - LAN
auto: true
family: inet
method: static
address: 192.168.85.254
netmask: 24
post-up:
# VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET
- /sbin/ip link add link eno2 name eno2.25 type vlan id 25
# VLAN 331 - for Ubiquiti UniFi Accesspoints private NET
- /sbin/ip link add link eno2 name eno2.35 type vlan id 35
- device: eno2.25
headline: eno2 - VLAN 25 (Ubiquiti UniFi Accesspoints Guest NET)
auto: true
family: inet
method: static
address: 10.25.15.254
netmask: 20
- device: eno2.35
headline: eno2 - VLAN 35 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.35.15.254
netmask: 20
- device: eno2:ns
headline: eno2:ns - Alias on eno2 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.85.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if Postfix Mailservice is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: "*/30"
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: "0-59/2"
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: "09"
hour: "3"
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- none
bind9_transfer_source: !!str "192.168.85.1"
bind9_notify_source: !!str "192.168.85.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

2
host_vars/ga-nh-gw.oopen.de.yml
View File

@@ -363,6 +363,8 @@ bind9_gateway_acl:
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'

2
host_vars/ga-st-gw-ersatz.ga.netz.yml
View File

@@ -230,6 +230,8 @@ bind9_gateway_acl:
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'

94
host_vars/o43.oopen.de.yml
View File

@@ -32,7 +32,7 @@ network_interfaces:
family: inet
method: static
hwaddress: 9c:6b:00:51:bf:54
hwaddress: 9c:6b:00:2b:fe:4f
description:
address: 176.9.62.77
netmask: 27
@@ -119,6 +119,98 @@ network_interfaces:
gateway: 'fe80::1'
- device: br1
# use only once per device (for the first device entry)
headline: br1 - bridge over device enp6s0.4001
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 9c:6b:00:2b:fe:50
description:
address: 172.20.1.10
netmask: 24
gateway:
metric:
pointopoint:
mtu:
scope:
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
# ** MOVED TO systemd-resolved
#
nameservers:
search:
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp6s0.4001 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# method:
# miimon:
# lacp-rate:
# ad-select-rate:
# master:
# slaves:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
#pre-up: [] # pre-up script lines
pre-up:
- /sbin/ip link add link enp6s0 name enp6s0.4001 type vlan id 4001
- /sbin/ip link set enp6s0.4001 mtu 1400
up: [] # up script lines
#post-up: [] # post-up script lines (alias for up)
post-up: # post-up script lines (alias for up)
- /sbin/ip route add 172.20.0.0/21 via 172.20.1.1
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---

6
host_vars/zapata.opp.netz.yml
View File

@@ -297,6 +297,12 @@ samba_user:
- buero
password: '20-printer-18'
- name: hanna
groups:
- buero
- beratung
password: '6UR9+#anna-25'
- name: hannes
groups:
- buero

4
hosts
View File

@@ -82,6 +82,7 @@ ga-st-gw.ga.netz
ga-st-gw-neu.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
ga-gh-gw.oopen.de
gw-campus.oopen.de
ga-st-lxc1.ga.netz
ga-st-mail.ga.netz
@@ -564,6 +565,7 @@ ga-st-gw.ga.netz
ga-st-gw-neu.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
ga-gh-gw.oopen.de
gw-campus.oopen.de
ga-st-lxc1.ga.netz
@@ -1914,6 +1916,7 @@ ga-st-gw.ga.netz
ga-st-gw-neu.ga.netz
ga-al-gw.oopen.de
ga-nh-gw.oopen.de
ga-gh-gw.oopen.de
gw-campus.oopen.de
@@ -1994,6 +1997,7 @@ ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz
ga-al-relay.ga.netz
ga-nh-gw.oopen.de.yml
ga-gh-gw.oopen.de
gw-campus.oopen.de
ga-st-lxc1.ga.netz
ga-st-mail.ga.netz

95
roles/ansible_dependencies-trixie/tasks/main.yml
View File

@@ -1,47 +1,68 @@
---
- name: re-synchronize the package index files from their sources
raw: apt-get update
- name: Ensure python3 and python3-apt are present (bootstrap)
ansible.builtin.raw: |
test -x /usr/bin/python3 && dpkg -s python3-apt >/dev/null 2>&1 \
|| (apt-get update -y && apt-get install -y python3 python3-apt)
changed_when: false
- name: Ensure aptitude is present
raw: test -e /usr/bin/aptitude || apt-get install aptitude -y
- name: Ensure python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
# Ab dem Zeitpunkt in dem Python auf dem Zielsystem vorhanden ist,
# kann Ansible wieder normale Module (wie apt, file, service, copy, usw.) benutzen.
#
# Aber:
# Da gather_facts: false gesetzt war, hat Ansible bis hierher keine Systeminformationen (Facts) wie:
#
# ansible_distribution
#
# ansible_fqdn
#
# ansible_memtotal_mb
#
# ansible_interfaces
#
# etc.
# eingesammelt.
#
# Rufe das 'setup'-Modul manuell auf mit:
#
# - name: Enable facts now that Python exists
# ansible.builtin.setup:
#
# Damit holt Ansible nachträglich die Facts, jetzt, wo Python verfügbar ist.
#
- name: Enable facts now that Python exists
ansible.builtin.setup:
- name: Ensure python-is-python3 is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 && (apt -y update && apt install -y python-is-python3)
- name: Ensure python-apt-common is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python && (apt -y update && apt install -y python-apt-common)
- name: Ensure aptitude is present (optional)
ansible.builtin.raw: |
test -x /usr/bin/aptitude || (apt-get update -y && apt-get install -y aptitude)
changed_when: false
when: (aptitude_needed | default(false)) | bool
- name: Ensure python-apt is present (This is necessary for ansible to work properly)
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-apt)
- name: dpkg --configure -a
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure
when: apt_dpkg_configure|bool
tags:
- ansible-dependencies
- name: apt upgrade
apt:
upgrade: "{{ apt_upgrade_type }}"
- name: Update apt cache
ansible.builtin.apt:
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade|bool
tags:
- ansible-dependencies
cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
- name: apt install ansible dependencies
apt:
name: "{{ apt_ansible_dependencies_trixie }}"
state: "{{ apt_install_state }}"
tags:
- ansible-dependencies
- name: Fix half-configured packages (dpkg --configure -a)
ansible.builtin.command: dpkg --configure -a
register: dpkg_config
changed_when: (dpkg_config.stdout | default('')) | length > 0
when: (apt_dpkg_configure | default(true)) | bool
tags: [ansible-dependencies]
- name: Upgrade packages
ansible.builtin.apt:
upgrade: "{{ apt_upgrade_type | default('safe') }}"
update_cache: true
dpkg_options: "{{ (apt_upgrade_dpkg_options | default(['force-confdef','force-confold'])) | join(',') }}"
when: (apt_upgrade | default(false)) | bool
tags: [ansible-dependencies]
- name: Install Ansible dependencies
ansible.builtin.apt:
name: "{{ apt_ansible_dependencies_trixie | default(['python3','python3-apt']) }}"
state: "{{ apt_install_state | default('present') }}"
tags: [ansible-dependencies]

68
roles/ansible_dependencies-trixie/tasks/main.yml.01 Normal file
View File

@@ -0,0 +1,68 @@
---
- name: Ensure python3 and python3-apt are present (bootstrap)
ansible.builtin.raw: |
test -x /usr/bin/python3 && dpkg -s python3-apt >/dev/null 2>&1 \
|| (apt-get update -y && apt-get install -y python3 python3-apt)
changed_when: false
# Ab dem Zeitpunkt in dem Python auf dem Zielsystem vorhanden ist,
# kann Ansible wieder normale Module (wie apt, file, service, copy, usw.) benutzen.
#
# Aber:
# Da gather_facts: false gesetzt war, hat Ansible bis hierher keine Systeminformationen (Facts) wie:
#
# ansible_distribution
#
# ansible_fqdn
#
# ansible_memtotal_mb
#
# ansible_interfaces
#
# etc.
# eingesammelt.
#
# Rufe das 'setup'-Modul manuell auf mit:
#
# - name: Enable facts now that Python exists
# ansible.builtin.setup:
#
# Damit holt Ansible nachträglich die Facts, jetzt, wo Python verfügbar ist.
#
- name: Enable facts now that Python exists
ansible.builtin.setup:
- name: Ensure aptitude is present (optional)
ansible.builtin.raw: |
test -x /usr/bin/aptitude || (apt-get update -y && apt-get install -y aptitude)
changed_when: false
when: (aptitude_needed | default(false)) | bool
- name: Update apt cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
- name: Fix half-configured packages (dpkg --configure -a)
ansible.builtin.command: dpkg --configure -a
register: dpkg_config
changed_when: (dpkg_config.stdout | default('')) | length > 0
when: (apt_dpkg_configure | default(true)) | bool
tags: [ansible-dependencies]
- name: Upgrade packages
ansible.builtin.apt:
upgrade: "{{ apt_upgrade_type | default('safe') }}"
update_cache: true
dpkg_options: "{{ (apt_upgrade_dpkg_options | default(['force-confdef','force-confold'])) | join(',') }}"
when: (apt_upgrade | default(false)) | bool
tags: [ansible-dependencies]
- name: Install Ansible dependencies
ansible.builtin.apt:
name: "{{ apt_ansible_dependencies_trixie | default(['python3','python3-apt']) }}"
state: "{{ apt_install_state | default('present') }}"
tags: [ansible-dependencies]

72
roles/ansible_dependencies-trixie/tasks/main.yml.02 Normal file
View File

@@ -0,0 +1,72 @@
---
# --- Nur fürs Bootstrap, damit Python für Ansible verfügbar ist ---
- name: Ensure python3 and python3-apt are present (bootstrap)
ansible.builtin.raw: |
test -x /usr/bin/python3 || (apt-get -y update && apt-get install -y python3)
test -x /usr/bin/python3 && (apt-get -y update && apt-get install -y python3-apt)
changed_when: false
# Ab dem Zeitpunkt in dem Python auf dem Zielsystem vorhanden ist,
# kann Ansible wieder normale Module (wie apt, file, service, copy, usw.) benutzen.
#
# Aber:
# Da gather_facts: false gesetzt war, hat Ansible bis hierher keine Systeminformationen (Facts) wie:
#
# ansible_distribution
#
# ansible_fqdn
#
# ansible_memtotal_mb
#
# ansible_interfaces
#
# etc.
# eingesammelt.
#
# Rufe das 'setup'-Modul manuell auf mit:
#
# - name: Enable facts now that Python exists
# ansible.builtin.setup:
#
# Damit holt Ansible nachträglich die Facts, jetzt, wo Python verfügbar ist.
#
- name: Enable facts now that Python exists
ansible.builtin.setup:
# --- Ab hier normale Module verwenden ---
- name: Update APT cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
tags: [ansible-dependencies]
- name: Ensure aptitude is present
ansible.builtin.apt:
name: aptitude
state: present
tags: [ansible-dependencies]
- name: dpkg --configure -a
ansible.builtin.command: dpkg --configure -a
register: dpkg_out
# "changed" nur, wenn es wirklich etwas ausgibt/konfiguriert
changed_when: dpkg_out.stdout is defined and dpkg_out.stdout | length > 0
when: apt_dpkg_configure | bool
tags: [ansible-dependencies]
- name: apt upgrade
ansible.builtin.apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade | bool
tags: [ansible-dependencies]
- name: apt install ansible dependencies
ansible.builtin.apt:
name: "{{ apt_ansible_dependencies_trixie }}"
state: "{{ apt_install_state }}"
tags: [ansible-dependencies]

5
roles/common/tasks/apt.yml
View File

@@ -8,7 +8,10 @@
group: root
mode: 0644
register: apt_config_updated
when: apt_manage_sources_list|bool
when:
- apt_manage_sources_list|bool
- ansible_facts['distribution'] == 'Debian'
- (ansible_facts['distribution_major_version'] | int) < 13
tags:
- apt-configuration

3
roles/common/tasks/git.yml
View File

@@ -32,8 +32,7 @@
git:
repo: "{{ git_firewall_repository.repo }}"
dest: "{{ git_firewall_repository.dest }}"
#when: git_firewall_repository is defined and git_firewall_repository > 0
when: git_firewall_repository|bool
when: git_firewall_repository is defined and git_firewall_repository | length > 0
tags:
- git-firewall-repository

20
roles/common/tasks/main.yml
View File

@@ -56,6 +56,16 @@
tags: yum
# tags supportetd inside caching-nameserver.yml
#
# apt-caching-nameserver
# yum-caching-nameserver
#
- import_tasks: caching-nameserver.yml
when: groups['caching_nameserver']|string is search(inventory_hostname)
tags: caching-nameserver
# tags supported inside systemd-resolved.yml
#
# systemd-resolved
@@ -270,16 +280,6 @@
tags:
- redis-server
# tags supportetd inside caching-nameserver.yml
#
# apt-caching-nameserver
# yum-caching-nameserver
#
- import_tasks: caching-nameserver.yml
when: groups['caching_nameserver']|string is search(inventory_hostname)
tags: caching-nameserver
- import_tasks: mysql.yml
when: groups['mysql_server']|string is search(inventory_hostname)
tags:

76
roles/common/tasks/samba-config-server.yml
View File

@@ -92,14 +92,13 @@
# ---
- name: (samba-config-server.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists
stat:
ansible.builtin.stat:
path: /root/bin/samba/clean_samba_trash.sh
register: clean_samba_trash_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- samba-cron
- inventory_hostname in groups['samba_server']
tags: [samba-server, samba-cron]
- name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh'
template:
@@ -114,36 +113,33 @@
- name: (samba-config-server.yml) Check if cleaning up trash dirs is configured
lineinfile:
ansible.builtin.lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: "^trash_dirs=*"
regexp: '^trash_dirs=*'
state: absent
check_mode: yes
check_mode: true
changed_when: false
register: clean_samba_trash_dirs
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- samba-cron
- inventory_hostname in groups['samba_server']
tags: [samba-server, samba-cron]
- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_trash_dirs.name }}'
minute: '{{ samba_cronjob_trash_dirs.minute }}'
ansible.builtin.cron:
name: "{{ samba_cronjob_trash_dirs.name }}"
minute: "{{ samba_cronjob_trash_dirs.minute }}"
hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}"
day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}"
month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}"
weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}"
day: "{{ samba_cronjob_trash_dirs.day | default('*') }}"
month: "{{ samba_cronjob_trash_dirs.month | default('*') }}"
weekday: "{{ samba_cronjob_trash_dirs.weekday | default('*') }}"
user: "{{ samba_cronjob_trash_dirs.user | default('root') }}"
job: "{{ samba_cronjob_trash_dirs.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_exists.stat.exists|bool and clean_samba_trash_dirs.found
tags:
- samba-server
- samba-cron
- inventory_hostname in groups['samba_server']
- clean_samba_trash_exists.stat.exists | bool
- (clean_samba_trash_dirs.found | int) > 0
tags: [samba-server, samba-cron]
# ---
@@ -151,31 +147,28 @@
# ---
- name: (samba-config-server.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists
stat:
ansible.builtin.stat:
path: /root/bin/samba/set_permissions_samba_shares.sh
register: set_permissions_on_samba_shares_exists
when:
- "groups['samba_server']|string is search(inventory_hostname)"
tags:
- samba-server
- samba-cron
- inventory_hostname in groups['samba_server']
tags: [samba-server, samba-cron]
- name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
template:
ansible.builtin.template:
dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- inventory_hostname in groups['samba_server']
- set_permissions_on_samba_shares_exists.stat.exists | bool
tags:
- samba-server
- samba-cron
tags: [samba-server, samba-cron]
- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs
cron:
name: '{{ samba_cronjob_permissions.name }}'
minute: '{{ samba_cronjob_permissions.minute }}'
- name: (samba-config-server.yml) Creates a cron job for setting permissions to samba dirs
ansible.builtin.cron:
name: "{{ samba_cronjob_permissions.name }}"
minute: "{{ samba_cronjob_permissions.minute }}"
hour: "{{ samba_cronjob_permissions.hour | default('*') }}"
day: "{{ samba_cronjob_permissions.day | default('*') }}"
month: "{{ samba_cronjob_permissions.month | default('*') }}"
@@ -183,9 +176,8 @@
user: "{{ samba_cronjob_permissions.user | default('root') }}"
job: "{{ samba_cronjob_permissions.job }}"
when:
- "groups['samba_server']|string is search(inventory_hostname)"
- clean_samba_trash_dirs.found
tags:
- samba-server
- samba-cron
- inventory_hostname in groups['samba_server']
- (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
tags: [samba-server, samba-cron]

393
roles/common/tasks/users-systemfiles.yml
View File

@@ -17,6 +17,7 @@
local_action: stat path={{ inventory_dir }}/files/homedirs/root
register: local_template_dir_root
# --
# Copy .bashrc
# ---
@@ -40,22 +41,40 @@
tags:
- bash
- name: (users-systemfiles.yml) copy .bashrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}"
dest: "~{{ item.item.name }}/.bashrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_default_user.results }}"
# 1. Prüfen, ob für jeden User ein lokales _bashrc existiert
- name: (users-systemfiles.yml) stat user _bashrc
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_bashrc"
delegate_to: localhost
become: false
loop: "{{ default_user }}"
register: bashrc_stats
loop_control:
label: '{{ item.item.name }}'
label: '{{ item.name }}'
# 2. Falls vorhanden, Datei kopieren
- name: (users-systemfiles.yml) copy .bashrc if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_bashrc"
dest: "~{{ user.name }}/.bashrc"
owner: "{{ user.name }}"
group: "{{ user.name }}"
mode: '0644'
loop: "{{ default_user | zip(bashrc_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc')
- stat_result.stat.exists
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags:
- bash
# --
# -- root user
# --
- name: (users-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists
stat:
path: /root/.bashrc.ORIG
@@ -69,19 +88,28 @@
tags:
- bash
- name: (users-systemfiles.yml) copy .bashrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') }}"
dest: "/root/.bashrc"
# 1) Prüfen ob die _bashrc für root auf dem Control-Node existiert
- name: stat root _bashrc on control node
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/_bashrc"
delegate_to: localhost
become: false
register: bashrc_root_stat
# 2) Wenn vorhanden, kopieren wir sie nach /root/.bashrc auf dem Zielhost
- name: copy root .bashrc if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_bashrc"
dest: /root/.bashrc
owner: root
group: root
mode: 0644
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc')
mode: '0644'
become: true
when: bashrc_root_stat.stat.exists
tags:
- bash
# --
# Copy .profile (Debian System)
# ---
@@ -109,22 +137,40 @@
tags:
- profile
- name: (users-systemfiles.yml) copy .profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}"
dest: "~{{ item.item.name }}/.profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_default_user.results }}"
# 1. Prüfen, ob für jeden User ein lokales _profile existiert
- name: (users-systemfiles.yml) stat user _profile
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_profile"
delegate_to: localhost
become: false
loop: "{{ default_user }}"
register: profile_stats
loop_control:
label: '{{ item.item.name }}'
label: '{{ item.name }}'
# 2. Falls vorhanden, Datei kopieren
- name: (users-systemfiles.yml) copy .profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_profile"
dest: "~{{ user.name }}/.profile"
owner: "{{ user.name }}"
group: "{{ user.name }}"
mode: '0644'
loop: "{{ default_user | zip(profile_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- ansible_facts['distribution'] == "Debian"
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile')
- stat_result.stat.exists
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags:
- profile
- bash
# --
# -- root user
# --
- name: (users-systemfiles.yml) Check if file '/root/.profile.ORIG' exists
stat:
@@ -143,19 +189,27 @@
tags:
- profile
- name: (users-systemfiles.yml) copy .profile for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') }}"
dest: "/root/.profile"
# 1) Prüfen ob die _profile für root auf dem Control-Node existiert
- name: stat root _profile on control node
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/_profile"
delegate_to: localhost
become: false
register: profile_root_stat
# 2) Wenn vorhanden, kopieren wir sie nach /root/.profile auf dem Zielhost
- name: copy root .profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_profile"
dest: /root/.profile
owner: root
group: root
mode: 0644
when:
- ansible_facts['distribution'] == "Debian"
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile')
mode: '0644'
become: true
when: profile_root_stat.stat.exists
tags:
- profile
- bash
# --
# Copy .bash_profile (CentOS/Fedora?/RedHat? System)
@@ -184,23 +238,43 @@
tags:
- profile
- name: (users-systemfiles.yml) copy .bash_profile if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bash_profile') }}"
dest: "~{{ item.item.name }}/.bash_profile"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_default_user.results }}"
# 1. Prüfen, ob für jeden User ein lokales _bash_profile existiert
- name: (users-systemfiles.yml) stat user _bash_profile
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_bash_profile"
delegate_to: localhost
become: false
loop: "{{ default_user }}"
register: bash_profile_stats
loop_control:
label: '{{ item.item.name }}'
label: '{{ item.name }}'
when:
- ansible_facts['distribution'] == "CentOS"
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bash_profile')
tags:
- profile
# 2. Falls vorhanden, Datei kopieren
- name: (users-systemfiles.yml) copy .bash_profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_bash_profile"
dest: "~{{ user.name }}/.bash_profile"
owner: "{{ user.name }}"
group: "{{ user.name }}"
mode: '0644'
loop: "{{ default_user | zip(bash_profile_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- ansible_facts['distribution'] == "CentOS"
- stat_result.stat.exists
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags:
- bash
# --
# -- root user
# --
- name: (users-systemfiles.yml) Check if file '/root/.bash_profile.ORIG' exists
stat:
@@ -219,94 +293,171 @@
tags:
- profile
- name: (users-systemfiles.yml) copy .bash_profile for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bash_profile') }}"
dest: "/root/.bash_profile"
owner: root
group: root
mode: 0644
# 1) Prüfen ob die _bash_profile für root auf dem Control-Node existiert
- name: stat root _bash_profile on control node
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/_bash_profile"
delegate_to: localhost
become: false
register: bash_profile_root_stat
when:
- ansible_facts['distribution'] == "CentOS"
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_bash_profile')
# 2) Wenn vorhanden, kopieren wir sie nach /root/.bash_profile auf dem Zielhost
- name: copy root .bash_profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_bash_profile"
dest: /root/.bash_profile
owner: root
group: root
mode: '0644'
become: true
when:
- ansible_facts['distribution'] == "CentOS"
- bash_profile_root_stat.stat.exists
tags:
- profile
- bash
# --
# Copy .vimrc
# ---
- name: (users-systemfiles.yml) copy .vimrc if it exists
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}"
dest: "~{{ item.item.name }}/.vimrc"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
loop: "{{ local_template_dir_default_user.results }}"
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vim
- name: (users-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ default_user }}"
# 1. Prüfen, ob für jeden User ein lokales _vimrc existiert
- name: (users-systemfiles.yml) stat user _vimrc
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_vimrc"
delegate_to: localhost
become: false
loop: "{{ default_user }}"
register: vimrc_stats
loop_control:
label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (users-systemfiles.yml) copy .vim directory if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}"
dest: "~{{ item.item.name }}"
owner: "{{ item.item.name }}"
group: "{{ item.item.name }}"
mode: 0644
with_items: "{{ local_template_dir_dotvim_default_user.results }}"
# 2. Falls vorhanden, Datei kopieren
- name: (users-systemfiles.yml) copy .vimrc if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_vimrc"
dest: "~{{ user.name }}/.vimrc"
owner: "{{ user.name }}"
group: "{{ user.name }}"
mode: '0644'
loop: "{{ default_user | zip(vimrc_stats.results) | list }}"
loop_control:
label: '{{ item.item.name }}'
label: "{{ user.name }}"
when:
- item.stat.exists
- stat_result.stat.exists
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags:
- vim
- bash
- name: (users-systemfiles.yml) copy .vimrc for user root
copy:
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') }}"
dest: "/root/.vimrc"
# 1) Lokal prüfen, ob ~/.vim existiert
- name: (users-systemfiles.yml) stat local .vim for each user
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim"
delegate_to: localhost
become: false
loop: "{{ default_user }}"
register: dotvim_stats
loop_control:
label: "{{ item.name }}"
# 2) Wenn vorhanden, .vim-Verzeichnis ins Home des Users kopieren
- name: (users-systemfiles.yml) copy .vim directory if it exists
ansible.builtin.copy:
# Wichtig: KEINE verschachtelten {{ ... }} im String
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/.vim"
dest: "~{{ user.name }}/"
mode: preserve # oder weglassen; 0644 wäre für Verzeichnisse falsch
become: true
loop: "{{ default_user | zip(dotvim_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- stat_result.stat.exists | bool
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags: [vim]
# 3) Ownership/Gruppe rekursiv korrigieren (falls gewünscht/erforderlich)
- name: (users-systemfiles.yml) ensure ownership on ~/.vim recursively
ansible.builtin.file:
path: "~{{ user.name }}/.vim"
owner: "{{ user.name }}"
group: "{{ user.name }}"
recurse: true
state: directory
become: true
loop: "{{ default_user | zip(dotvim_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- stat_result.stat.exists | bool
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags: [vim]
# --
# -- root user
# --
# 1) Prüfen ob die _vimrc für root auf dem Control-Node existiert
- name: stat root _vimrc on control node
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/_vimrc"
delegate_to: localhost
become: false
register: vimrc_root_stat
# 2) Wenn vorhanden, kopieren wir sie nach /root/.vimrc auf dem Zielhost
- name: copy root .vimrc if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_vimrc"
dest: /root/.vimrc
owner: root
group: root
mode: 0644
mode: '0644'
become: true
when:
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc')
- vimrc_root_stat.stat.exists
tags:
- vim
- bash
# 1) Lokal prüfen, ob ./files/homedirs/root/.vim existiert
- name: (users-systemfiles.yml) stat local .vim for root
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/.vim"
delegate_to: localhost
become: false
register: root_dotvim_stat
tags: [vim]
- name: (users-systemfiles.yml) Check if local template directory .vim exists for user root
local_action: stat path={{ inventory_dir }}/files/homedirs/root/.vim
register: local_template_dir_vim_root
with_items: 'root'
loop_control:
label: 'root'
# 2) Wenn vorhanden, nach /root/ kopieren
- name: (users-systemfiles.yml) copy root .vim directory if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/.vim"
dest: "/root/"
mode: preserve # oder weglassen; nicht 0644 bei Verzeichnissen
become: true
when:
- root_dotvim_stat.stat.exists | bool
tags: [vim]
- name: (users-systemfiles.yml) copy .vim directory for user root if it exists
copy:
src: "{{ inventory_dir + '/files/homedirs/root/.vim' }}"
dest: "/root"
# 3) Ownership sicherstellen (rekursiv)
- name: (users-systemfiles.yml) ensure ownership on /root/.vim recursively
ansible.builtin.file:
path: "/root/.vim"
owner: "root"
group: "root"
mode: 0644
with_items: "{{ local_template_dir_vim_root.results }}"
loop_control:
label: 'root'
recurse: true
state: directory
become: true
when:
- item.stat.exists
tags:
- vim
- root_dotvim_stat.stat.exists | bool
tags: [vim]

4
roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2
View File

@@ -36,7 +36,7 @@ _SASL_PASS=
_RELAY_HOST=true
_SYMPA_LIST_SERVER=true
{% else %}
_RELAY_HOST="{{ is_relay_host | default('false') }}"
_RELAY_HOST={{ is_relay_host | default('false') }}
_SYMPA_LIST_SERVER=false
{% endif %}
_INSTALL_DMARC_REPORT_SUPPORT={{ support_dmarc_reporting | default('false') }}

4
templates/apt-migrate-to-trixie/99-backports.j2 Normal file
View File

@@ -0,0 +1,4 @@
# Backports nicht automatisch bevorzugen
Package: *
Pin: release n={{ target_release }}-backports
Pin-Priority: {{ backports_pin_priority }}

8
templates/apt-migrate-to-trixie/backports.sources.j2 Normal file
View File

@@ -0,0 +1,8 @@
# Verwaltet via Ansible - Backports für {{ target_release }}
Types: deb deb-src
URIs: {{ debian_mirror }}
Suites: {{ target_release }}-backports
Components: {{ components }}
{% if use_signed_by %}
Signed-By: {{ signed_by_keyring }}
{% endif %}

15
templates/apt-migrate-to-trixie/debian.sources.j2 Normal file
View File

@@ -0,0 +1,15 @@
# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }}
Types: deb deb-src
URIs: {{ debian_mirror }}
Suites: {{ target_release }} {{ target_release }}-updates
Components: {{ components }}
Signed-By: default
EOF
# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }}
Types: deb deb-src
URIs: {{ debian_mirror }}
Suites: {{ target_release }} {{ target_release }}-updates
Components: {{ components }}
{% if use_signed_by %}
Signed-By: {{ signed_by_keyring }}
{% endif %}

8
templates/apt-migrate-to-trixie/security.sources.j2 Normal file
View File

@@ -0,0 +1,8 @@
# Verwaltet via Ansible - Security für {{ target_release }}
Types: deb deb-src
URIs: {{ security_mirror }}
Suites: {{ target_release }}-security
Components: {{ components }}
{% if use_signed_by %}
Signed-By: {{ signed_by_keyring }}
{% endif %}