ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ansible:6e60b3718e1f52d6104f1255f375f74077ef19eb
Branches Tags
ansible:master
...
compare: ansible:master
Branches Tags
ansible:master

24 Commits
6e60b3718e ... master

Author SHA1 Message Date
Christoph
6bcc70e8e2 backup.oopen.de.yml: add host 'ga-gh-gw' 2025-12-01 14:14:03 +01:00
Christoph
96737dc01e zapata.opp.netz.yml: Add new user account. 2025-12-01 12:32:38 +01:00
Christoph
028b4aa253 Add DNS Server georgshaus to the trusted internal name servers. 2025-12-01 11:35:53 +01:00
Christoph
a18c127a31 add host gw-gh-gw; task chaching-nameservice must run befor task systemd-resolved. 2025-11-30 15:18:11 +01:00
Christoph
c229b3378d update.. 2025-11-30 00:09:16 +01:00
Christoph
24aeb45e92 update.. 2025-11-25 00:23:27 +01:00
Christoph
4c406279e9 git.yml: 'bool' in when clause is deprecated. 2025-11-09 16:54:40 +01:00
Christoph
12aaebf5d9 Add bootstrao and dependenciy script for debian 13 (trixie)'. 2025-11-09 16:05:36 +01:00
Christoph
42fc2cdf58 update.. 2025-10-27 23:16:48 +01:00
Christoph
c9f41f1232 update.. 2025-10-27 18:11:43 +01:00
Christoph
c82630ccf2 update.. 2025-10-27 17:27:13 +01:00
Christoph
3d3f950dad Remove 'warn' - its no longer supported. 2025-10-16 19:29:14 +02:00
Christoph
06d4fda42a update.. 2025-10-16 18:11:42 +02:00
Christoph
6b0ae55eb0 Update.. 2025-09-25 01:33:05 +02:00
Christoph
e1f5243d11 update.. 2025-09-23 18:04:54 +02:00
Christoph
d7cab54470 Add support of insecure wide links 2025-08-20 10:24:35 +02:00
Christoph
b64076ed5d update.. 2025-08-10 10:19:51 +02:00
Christoph
e5321fc0d2 update... 2025-08-06 10:25:02 +02:00
Christoph
67ea094453 update.. 2025-08-04 18:39:16 +02:00
Christoph
a81cf75e13 update.. 2025-08-03 01:00:01 +02:00
Christoph
5d18b79372 update.. 2025-07-15 00:38:25 +02:00
Christoph
86a1d988c7 update.. 2025-06-06 10:31:05 +02:00
Christoph
7ca6f6a2ab update 2025-04-21 11:04:04 +02:00
Christoph
70c0c3bb7c update.. 2025-02-14 11:36:24 +01:00
95 changed files with 8503 additions and 1503 deletions
Expand all files Collapse all files

9
ansible-dependencies-trixie-sudo.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Bootstrap & Abhängigkeiten für Ansible auf Debian/Trixie
hosts: all
become: true
gather_facts: false
roles:
- role: ansible_dependencies-trixie
- role: ansible_user_debian

8
ansible-dependencies-trixie-sudo.yml.00 Normal file
View File

@@ -0,0 +1,8 @@
---
- hosts: initial_setup
gather_facts: false
roles:
- ansible_dependencies-trixie
- ansible_user_debian

15
ansible-dependencies-trixie.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- hosts: Bootstrap & Abhängigkeiten für Ansible auf Debian/Trixie
remote_user: root
become: false
gather_facts: false
vars_prompt:
- name: ansible_ssh_pass
prompt: "Give root's password here"
roles:
- ansible_dependencies-trixie
- ansible_user_debian

11
ansible.cfg
View File

@@ -10,7 +10,16 @@
[defaults] [defaults]
ansible_managed = *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] *** # [DEPRECATION WARNING] 'ansible_managed' used in ansible.cfg
#
# The `ansible_managed` variable can be set just like any other variable, or a different
# variable can be used.
#
# Alternatives: Set the `ansible_managed` variable, or use any custom variable in templates.
#
# This feature will be removed from ansible-core version 2.23.
#
#ansible_managed = *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] ***
# Use of 'ansible_managed' # Use of 'ansible_managed'
# #

121
apt-migrate-to-trixie.yml Normal file
View File

@@ -0,0 +1,121 @@
---
# ---
# deb822 ist das neue Konfigurationsformats für APT-Quellen (Repositories).
# Es basiert auf der Debian Control Syntax nach RFC 822 daher der Name
# ---
- name: Nur APT auf Debian 13 (Trixie) migrieren
hosts: all
become: true
gather_facts: true
vars:
target_release: trixie
debian_mirror: "http://deb.debian.org/debian"
security_mirror: "http://security.debian.org/debian-security"
components: "main contrib non-free non-free-firmware"
enable_backports: true # auf false setzen, wenn du keine Backports willst
pin_backports_low: true # Backports nur auf Anfrage
# Nur manuelle Installation/Upgrade aus Backports:
# backports_pin_priority: 100
#
# Automatische Updates für bereits installierte Backports-Pakete.
# backports_pin_priority: 500 (>= 500)
#
backports_pin_priority: 100 # 100 = nie automatisch bevorzugen
apt_cache_valid_time: 3600
# Für offizielle Debian-Repos brauchst es kein Signed-By, weil debian-archive-keyring
# ohnehin systemweit vertrauenswürdig ist.
#
use_signed_by: true # oder false, wenn du Option A willst
# Wenn Signed-By explizit gesetzt werden soll, dann nutze den Keyring-Pfad und stelle sicher,
# dass das Paket installiert ist.
signed_by_keyring: "/usr/share/keyrings/debian-archive-keyring.gpg"
pre_tasks:
- name: Sicherstellen, dass wir Debian sind
assert:
that:
- ansible_facts['os_family'] == "Debian"
fail_msg: "Dieses Playbook ist nur für Debian geeignet."
tasks:
- name: Keyring für Debian-Archive sicherstellen (falls Signed-By genutzt)
ansible.builtin.apt:
name: debian-archive-keyring
state: present
when: use_signed_by
- name: (Optional) Alte /etc/apt/sources.list sichern
ansible.builtin.copy:
src: /etc/apt/sources.list
dest: /etc/apt/sources.list.before-trixie
remote_src: true
force: false
ignore_errors: true
- name: Alte /etc/apt/sources.list deaktivieren (leere Kommentar-Datei)
ansible.builtin.copy:
dest: /etc/apt/sources.list
content: |
# Verwaltet via Ansible. Repositories liegen in /etc/apt/sources.list.d/*.sources (deb822).
# Zielrelease: {{ target_release }}
owner: root
group: root
mode: "0644"
- name: Debian-Repo (deb + deb-src) als deb822 anlegen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/debian.sources.j2
dest: /etc/apt/sources.list.d/debian.sources
owner: root
group: root
mode: "0644"
- name: Security-Repo (deb + deb-src) als deb822 anlegen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/security.sources.j2
dest: /etc/apt/sources.list.d/security.sources
owner: root
group: root
mode: "0644"
- name: Backports-Repo (optional) als deb822 anlegen/entfernen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/backports.sources.j2
dest: /etc/apt/sources.list.d/backports.sources
owner: root
group: root
mode: "0644"
when: enable_backports
- name: Backports-Repo entfernen wenn deaktiviert
ansible.builtin.file:
path: /etc/apt/sources.list.d/backports.sources
state: absent
when: not enable_backports
- name: Optionales Backports-Pinning setzen
ansible.builtin.template:
src: templates/apt-migrate-to-trixie/99-backports.j2
dest: /etc/apt/preferences.d/99-backports
owner: root
group: root
mode: "0644"
when: enable_backports and pin_backports_low
- name: APT-Cache aktualisieren
ansible.builtin.apt:
update_cache: yes
cache_valid_time: "{{ apt_cache_valid_time }}"
- name: Verifikation - zeigen, ob Suites auf trixie stehen
ansible.builtin.command: apt-cache policy
register: apt_policy
changed_when: false
- name: Ausgabe anzeigen (nur Info)
ansible.builtin.debug:
msg: "{{ apt_policy.stdout.split('\n') | select('search', 'trixie') | list | join('\n') }}"

8
files/homedirs/axel/_profile
View File

@@ -25,6 +25,8 @@ fi
# to become the last directory the midnight commander was in # to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander # as the current directory when leaving the midnight commander
# #
#. /usr/lib/mc/bin/mc.sh if [ -f "/usr/share/mc/bin/mc.sh" ]; then
. /usr/share/mc/bin/mc.sh source /usr/share/mc/bin/mc.sh
elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then
source /usr/lib/mc/bin/mc.sh
fi

4
files/homedirs/back/_bashrc
View File

@@ -111,3 +111,7 @@ export EDITOR=vim
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

11
files/homedirs/back/_profile
View File

@@ -17,14 +17,17 @@ if [ -n "$BASH_VERSION" ]; then
fi fi
# set PATH so it includes user's private bin if it exists # set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/bin:$PATH" PATH="$HOME/.local/bin:$PATH"
fi fi
# this is for the midnight-commander # this is for the midnight-commander
# to become the last directory the midnight commander was in # to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander # as the current directory when leaving the midnight commander
# #
#. /usr/lib/mc/bin/mc.sh if [ -f "/usr/share/mc/bin/mc.sh" ]; then
. /usr/share/mc/bin/mc.sh source /usr/share/mc/bin/mc.sh
elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then
source /usr/lib/mc/bin/mc.sh
fi

1
files/homedirs/back/_vimrc
View File

@@ -171,3 +171,4 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\
set laststatus=2 set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue highlight StatusLine cterm=none ctermfg=white ctermbg=blue
set belloff=all

178
files/homedirs/chris/.vimrc
View File

@@ -1,178 +0,0 @@
" An example for a vimrc file.
"
" Maintainer: Bram Moolenaar <Bram@vim.org>
" Last change: 1999 Sep 09
"
" To use it, copy it to
" for Unix and OS/2: ~/.vimrc
" for Amiga: s:.vimrc
" for MS-DOS and Win32: $VIM\_vimrc
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim
set nocompatible " Use Vim defaults (much better!)
set bs=2 " allow backspacing over everything in insert mode
set ai " always set autoindenting on
" set backup " keep a backup file
"set viminfo='20,\"50 " read/write a .viminfo file, don't store more
" than 50 lines of registers
set viminfo='20,\"50,:20,%,n~/.viminfo
set history=50 " keep 50 lines of command line history
set ruler " show the cursor position all the time
set ignorecase " suchen case-insenitiv
set showmatch " zeige passende klammern
set shell=/bin/bash " shell to start with !
set expandtab " tabs --> blanks
set showmode " anzeige INSERT/REPLACE/...
" set smartcase " Do smart case matching
set incsearch " Incremental search
" Start searching when you type the first character of
" the search string. As you type in more characters, the
" search is refined.
set t_Co=256 " To enable 256 colors in vim, put this your .vimrc before setting the colorscheme
" einrueckung
"set noexpandtab
set expandtab
set shiftwidth=3
set tabstop=3
set softtabstop=3
" Round indent to multiple of 'shiftwidth' for > and < commands
set shiftround
"set number
" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries
" let &guioptions = substitute(&guioptions, "t", "", "g")
" Don't use Ex mode, use Q for formatting
map Q gq
" Make p in isual Visual mode replace the selected text with the "" register.
vnoremap p <Esc>:let current_reg = @"<CR>gvdi<C-R>=current_reg<CR><Esc>
" Switch syntax highlighting on, when the terminal has colors
" Also switch on highlighting the last used search pattern.
if &t_Co > 2 || has("gui_running")
syntax on
set hlsearch
endif
" Only do this part when compiled with support for autocommands.
if has("autocmd")
" In text files, always limit the width of text to 78 characters
autocmd BufRead *.txt set tw=78
augroup cprog
" Remove all cprog autocommands
au!
" When starting to edit a file:
" For C and C++ files set formatting of comments and set C-indenting on.
" For other files switch it off.
" Don't change the order, it's important that the line with * comes first.
autocmd FileType * set formatoptions=tcql nocindent comments&
autocmd FileType c,cpp set formatoptions=croql cindent comments=sr:/*,mb:*,el:*/,://
augroup END
augroup gzip
" Remove all gzip autocommands
au!
" Enable editing of gzipped files
" set binary mode before reading the file
autocmd BufReadPre,FileReadPre *.gz,*.bz2 set bin
autocmd BufReadPost,FileReadPost *.gz call GZIP_read("gunzip")
autocmd BufReadPost,FileReadPost *.bz2 call GZIP_read("bunzip2")
autocmd BufWritePost,FileWritePost *.gz call GZIP_write("gzip")
autocmd BufWritePost,FileWritePost *.bz2 call GZIP_write("bzip2")
autocmd FileAppendPre *.gz call GZIP_appre("gunzip")
autocmd FileAppendPre *.bz2 call GZIP_appre("bunzip2")
autocmd FileAppendPost *.gz call GZIP_write("gzip")
autocmd FileAppendPost *.bz2 call GZIP_write("bzip2")
" After reading compressed file: Uncompress text in buffer with "cmd"
fun! GZIP_read(cmd)
let ch_save = &ch
set ch=2
execute "'[,']!" . a:cmd
set nobin
let &ch = ch_save
execute ":doautocmd BufReadPost " . expand("%:r")
endfun
" After writing compressed file: Compress written file with "cmd"
fun! GZIP_write(cmd)
if rename(expand("<afile>"), expand("<afile>:r")) == 0
execute "!" . a:cmd . " <afile>:r"
endif
endfun
" Before appending to compressed file: Uncompress file with "cmd"
fun! GZIP_appre(cmd)
execute "!" . a:cmd . " <afile>"
call rename(expand("<afile>:r"), expand("<afile>"))
endfun
augroup END
" This is disabled, because it changes the jumplist. Can't use CTRL-O to go
" back to positions in previous files more than once.
if 0
" When editing a file, always jump to the last cursor position.
" This must be after the uncompress commands.
autocmd BufReadPost * if line("'\"") && line("'\"") <= line("$") | exe "normal `\"" | endif
endif
endif " has("autocmd")
" toggle syntax highlighting
map <F12> :if exists("syntax_on") <Bar> syntax off <Bar> else <Bar> syntax on <Bar> endif <CR><ESC>
map <F11> :nohls <CR>
" use <F6> to toggle line numbers
nmap <silent> <F6> :set number!<CR>
" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark
" set color for search
hi clear search
hi search term=bold,reverse cterm=bold,reverse gui=bold,reverse
" set color for Comment
hi clear Comment
"highlight Comment term=bold cterm=bold ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=bold cterm=bold ctermfg=grey guifg=#80a0ff gui=bold
highlight Comment term=none cterm=none ctermfg=grey guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=177 guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=215 guifg=#80a0ff gui=bold
" Go back to the position the cursor was on the last time this file was edited
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")|execute("normal `\"")|endif
" visual shifting (does not exit Visual mode)
vnoremap < <gv
vnoremap > >gv
" Scroll when cursor gets within 3 characters of top/bottom edge
set scrolloff=3
" Show line, column number, and relative position within a file in the status line
" set statusline=%F%m%r%h%w\ [FORMAT=%{&ff}]\ [TYPE=%Y]\ [ASCII=\%03.3b]\ [HEX=\%02.2B]\ [POS=%04l,%04v][%p%%]\ [LEN=%L]
"set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)%(\|\ syntax:\ %{synIDattr(synID(line('.'),col('.'),0),'name')}%)\ \ %=line:\ %l/%L\ \|\ column:\ %c%V\ \|\ relative\:\ %p%%\
set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)\ \ %=line:\ %l/%L\ \|\ col:\ %c%V\ \|\ %p%%
" Always show status line, even for one window
set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue
colorscheme PaperColor

178
files/homedirs/chris/.vimrc.BAK
View File

@@ -1,178 +0,0 @@
" An example for a vimrc file.
"
" Maintainer: Bram Moolenaar <Bram@vim.org>
" Last change: 1999 Sep 09
"
" To use it, copy it to
" for Unix and OS/2: ~/.vimrc
" for Amiga: s:.vimrc
" for MS-DOS and Win32: $VIM\_vimrc
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim
set nocompatible " Use Vim defaults (much better!)
set bs=2 " allow backspacing over everything in insert mode
set ai " always set autoindenting on
" set backup " keep a backup file
"set viminfo='20,\"50 " read/write a .viminfo file, don't store more
" than 50 lines of registers
set viminfo='20,\"50,:20,%,n~/.viminfo
set history=50 " keep 50 lines of command line history
set ruler " show the cursor position all the time
set ignorecase " suchen case-insenitiv
set showmatch " zeige passende klammern
set shell=/bin/bash " shell to start with !
set expandtab " tabs --> blanks
set showmode " anzeige INSERT/REPLACE/...
" set smartcase " Do smart case matching
set incsearch " Incremental search
" Start searching when you type the first character of
" the search string. As you type in more characters, the
" search is refined.
set t_Co=256 " To enable 256 colors in vim, put this your .vimrc before setting the colorscheme
" einrueckung
"set noexpandtab
set expandtab
set shiftwidth=3
set tabstop=3
set softtabstop=3
" Round indent to multiple of 'shiftwidth' for > and < commands
set shiftround
"set number
" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries
" let &guioptions = substitute(&guioptions, "t", "", "g")
" Don't use Ex mode, use Q for formatting
map Q gq
" Make p in isual Visual mode replace the selected text with the "" register.
vnoremap p <Esc>:let current_reg = @"<CR>gvdi<C-R>=current_reg<CR><Esc>
" Switch syntax highlighting on, when the terminal has colors
" Also switch on highlighting the last used search pattern.
if &t_Co > 2 || has("gui_running")
syntax on
set hlsearch
endif
" Only do this part when compiled with support for autocommands.
if has("autocmd")
" In text files, always limit the width of text to 78 characters
autocmd BufRead *.txt set tw=78
augroup cprog
" Remove all cprog autocommands
au!
" When starting to edit a file:
" For C and C++ files set formatting of comments and set C-indenting on.
" For other files switch it off.
" Don't change the order, it's important that the line with * comes first.
autocmd FileType * set formatoptions=tcql nocindent comments&
autocmd FileType c,cpp set formatoptions=croql cindent comments=sr:/*,mb:*,el:*/,://
augroup END
augroup gzip
" Remove all gzip autocommands
au!
" Enable editing of gzipped files
" set binary mode before reading the file
autocmd BufReadPre,FileReadPre *.gz,*.bz2 set bin
autocmd BufReadPost,FileReadPost *.gz call GZIP_read("gunzip")
autocmd BufReadPost,FileReadPost *.bz2 call GZIP_read("bunzip2")
autocmd BufWritePost,FileWritePost *.gz call GZIP_write("gzip")
autocmd BufWritePost,FileWritePost *.bz2 call GZIP_write("bzip2")
autocmd FileAppendPre *.gz call GZIP_appre("gunzip")
autocmd FileAppendPre *.bz2 call GZIP_appre("bunzip2")
autocmd FileAppendPost *.gz call GZIP_write("gzip")
autocmd FileAppendPost *.bz2 call GZIP_write("bzip2")
" After reading compressed file: Uncompress text in buffer with "cmd"
fun! GZIP_read(cmd)
let ch_save = &ch
set ch=2
execute "'[,']!" . a:cmd
set nobin
let &ch = ch_save
execute ":doautocmd BufReadPost " . expand("%:r")
endfun
" After writing compressed file: Compress written file with "cmd"
fun! GZIP_write(cmd)
if rename(expand("<afile>"), expand("<afile>:r")) == 0
execute "!" . a:cmd . " <afile>:r"
endif
endfun
" Before appending to compressed file: Uncompress file with "cmd"
fun! GZIP_appre(cmd)
execute "!" . a:cmd . " <afile>"
call rename(expand("<afile>:r"), expand("<afile>"))
endfun
augroup END
" This is disabled, because it changes the jumplist. Can't use CTRL-O to go
" back to positions in previous files more than once.
if 0
" When editing a file, always jump to the last cursor position.
" This must be after the uncompress commands.
autocmd BufReadPost * if line("'\"") && line("'\"") <= line("$") | exe "normal `\"" | endif
endif
endif " has("autocmd")
" toggle syntax highlighting
map <F12> :if exists("syntax_on") <Bar> syntax off <Bar> else <Bar> syntax on <Bar> endif <CR><ESC>
map <F11> :nohls <CR>
" use <F6> to toggle line numbers
nmap <silent> <F6> :set number!<CR>
" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark
" set color for search
hi clear search
hi search term=bold,reverse cterm=bold,reverse gui=bold,reverse
" set color for Comment
hi clear Comment
"highlight Comment term=bold cterm=bold ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=bold cterm=bold ctermfg=grey guifg=#80a0ff gui=bold
highlight Comment term=none cterm=none ctermfg=grey guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=177 guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=215 guifg=#80a0ff gui=bold
" Go back to the position the cursor was on the last time this file was edited
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")|execute("normal `\"")|endif
" visual shifting (does not exit Visual mode)
vnoremap < <gv
vnoremap > >gv
" Scroll when cursor gets within 3 characters of top/bottom edge
set scrolloff=3
" Show line, column number, and relative position within a file in the status line
" set statusline=%F%m%r%h%w\ [FORMAT=%{&ff}]\ [TYPE=%Y]\ [ASCII=\%03.3b]\ [HEX=\%02.2B]\ [POS=%04l,%04v][%p%%]\ [LEN=%L]
"set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)%(\|\ syntax:\ %{synIDattr(synID(line('.'),col('.'),0),'name')}%)\ \ %=line:\ %l/%L\ \|\ column:\ %c%V\ \|\ relative\:\ %p%%\
set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)\ \ %=line:\ %l/%L\ \|\ col:\ %c%V\ \|\ %p%%
" Always show status line, even for one window
set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue
colorscheme PaperColor

4
files/homedirs/chris/_bashrc
View File

@@ -113,3 +113,7 @@ export EDITOR=vim
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

5
files/homedirs/chris/_profile
View File

@@ -21,6 +21,11 @@ if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH" PATH="$HOME/bin:$PATH"
fi fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi
# this is for the midnight-commander # this is for the midnight-commander
# to become the last directory the midnight commander was in # to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander # as the current directory when leaving the midnight commander

2
files/homedirs/chris/_vimrc
View File

@@ -178,4 +178,6 @@ highlight StatusLine cterm=none ctermfg=white ctermbg=blue
"Remove all trailing whitespace by pressing F5 "Remove all trailing whitespace by pressing F5
nnoremap <F5> :let _s=@/<Bar>:%s/\s\+$//e<Bar>:let @/=_s<Bar><CR> nnoremap <F5> :let _s=@/<Bar>:%s/\s\+$//e<Bar>:let @/=_s<Bar><CR>
set belloff=all
colorscheme PaperColor colorscheme PaperColor

4
files/homedirs/root/_bashrc
View File

@@ -76,3 +76,7 @@ export LINES=64
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

4
files/homedirs/root/_profile
View File

@@ -35,4 +35,6 @@ elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then
source /usr/lib/mc/bin/mc.sh source /usr/lib/mc/bin/mc.sh
fi fi
mesg n if command -v mesg >/dev/null 2>&1; then
mesg n
fi

2
files/homedirs/root/_vimrc
View File

@@ -178,4 +178,6 @@ highlight StatusLine cterm=none ctermfg=white ctermbg=blue
"Remove all trailing whitespace by pressing F5 "Remove all trailing whitespace by pressing F5
nnoremap <F5> :let _s=@/<Bar>:%s/\s\+$//e<Bar>:let @/=_s<Bar><CR> nnoremap <F5> :let _s=@/<Bar>:%s/\s\+$//e<Bar>:let @/=_s<Bar><CR>
set belloff=all
colorscheme PaperColor colorscheme PaperColor

173
files/homedirs/root/_vimrc.BAK
View File

@@ -1,173 +0,0 @@
" An example for a vimrc file.
"
" Maintainer: Bram Moolenaar <Bram@vim.org>
" Last change: 1999 Sep 09
"
" To use it, copy it to
" for Unix and OS/2: ~/.vimrc
" for Amiga: s:.vimrc
" for MS-DOS and Win32: $VIM\_vimrc
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim
set nocompatible " Use Vim defaults (much better!)
set bs=2 " allow backspacing over everything in insert mode
set ai " always set autoindenting on
" set backup " keep a backup file
"set viminfo='20,\"50 " read/write a .viminfo file, don't store more
" than 50 lines of registers
set viminfo='20,\"50,:20,%,n~/.viminfo
set history=50 " keep 50 lines of command line history
set ruler " show the cursor position all the time
set ignorecase " suchen case-insenitiv
set showmatch " zeige passende klammern
set shell=/bin/bash " shell to start with !
set expandtab " tabs --> blanks
set showmode " anzeige INSERT/REPLACE/...
" set smartcase " Do smart case matching
set incsearch " Incremental search
" Start searching when you type the first character of
" the search string. As you type in more characters, the
" search is refined.
set t_Co=256 " To enable 256 colors in vim, put this your .vimrc before setting the colorscheme
" einrueckung
set shiftwidth=3
set tabstop=3
" Round indent to multiple of 'shiftwidth' for > and < commands
set shiftround
" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries
" let &guioptions = substitute(&guioptions, "t", "", "g")
" Don't use Ex mode, use Q for formatting
map Q gq
" Make p in isual Visual mode replace the selected text with the "" register.
vnoremap p <Esc>:let current_reg = @"<CR>gvdi<C-R>=current_reg<CR><Esc>
" Switch syntax highlighting on, when the terminal has colors
" Also switch on highlighting the last used search pattern.
if &t_Co > 2 || has("gui_running")
syntax on
set hlsearch
endif
" Only do this part when compiled with support for autocommands.
if has("autocmd")
" In text files, always limit the width of text to 78 characters
autocmd BufRead *.txt set tw=78
augroup cprog
" Remove all cprog autocommands
au!
" When starting to edit a file:
" For C and C++ files set formatting of comments and set C-indenting on.
" For other files switch it off.
" Don't change the order, it's important that the line with * comes first.
autocmd FileType * set formatoptions=tcql nocindent comments&
autocmd FileType c,cpp set formatoptions=croql cindent comments=sr:/*,mb:*,el:*/,://
augroup END
augroup gzip
" Remove all gzip autocommands
au!
" Enable editing of gzipped files
" set binary mode before reading the file
autocmd BufReadPre,FileReadPre *.gz,*.bz2 set bin
autocmd BufReadPost,FileReadPost *.gz call GZIP_read("gunzip")
autocmd BufReadPost,FileReadPost *.bz2 call GZIP_read("bunzip2")
autocmd BufWritePost,FileWritePost *.gz call GZIP_write("gzip")
autocmd BufWritePost,FileWritePost *.bz2 call GZIP_write("bzip2")
autocmd FileAppendPre *.gz call GZIP_appre("gunzip")
autocmd FileAppendPre *.bz2 call GZIP_appre("bunzip2")
autocmd FileAppendPost *.gz call GZIP_write("gzip")
autocmd FileAppendPost *.bz2 call GZIP_write("bzip2")
" After reading compressed file: Uncompress text in buffer with "cmd"
fun! GZIP_read(cmd)
let ch_save = &ch
set ch=2
execute "'[,']!" . a:cmd
set nobin
let &ch = ch_save
execute ":doautocmd BufReadPost " . expand("%:r")
endfun
" After writing compressed file: Compress written file with "cmd"
fun! GZIP_write(cmd)
if rename(expand("<afile>"), expand("<afile>:r")) == 0
execute "!" . a:cmd . " <afile>:r"
endif
endfun
" Before appending to compressed file: Uncompress file with "cmd"
fun! GZIP_appre(cmd)
execute "!" . a:cmd . " <afile>"
call rename(expand("<afile>:r"), expand("<afile>"))
endfun
augroup END
" This is disabled, because it changes the jumplist. Can't use CTRL-O to go
" back to positions in previous files more than once.
if 0
" When editing a file, always jump to the last cursor position.
" This must be after the uncompress commands.
autocmd BufReadPost * if line("'\"") && line("'\"") <= line("$") | exe "normal `\"" | endif
endif
endif " has("autocmd")
" toggle syntax highlighting
map <F12> :if exists("syntax_on") <Bar> syntax off <Bar> else <Bar> syntax on <Bar> endif <CR><ESC>
map <F11> :nohls <CR>
" use <F6> to toggle line numbers
nmap <silent> <F6> :set number!<CR>
" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark
" set color for search
hi clear search
hi search term=bold,reverse cterm=bold,reverse gui=bold,reverse
" set color for Comment
hi clear Comment
"highlight Comment term=bold cterm=bold ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=bold cterm=bold ctermfg=grey guifg=#80a0ff gui=bold
highlight Comment term=none cterm=none ctermfg=grey guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=177 guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=215 guifg=#80a0ff gui=bold
" Go back to the position the cursor was on the last time this file was edited
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")|execute("normal `\"")|endif
" visual shifting (does not exit Visual mode)
vnoremap < <gv
vnoremap > >gv
" Scroll when cursor gets within 3 characters of top/bottom edge
set scrolloff=3
" Show line, column number, and relative position within a file in the status line
" set statusline=%F%m%r%h%w\ [FORMAT=%{&ff}]\ [TYPE=%Y]\ [ASCII=\%03.3b]\ [HEX=\%02.2B]\ [POS=%04l,%04v][%p%%]\ [LEN=%L]
"set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)%(\|\ syntax:\ %{synIDattr(synID(line('.'),col('.'),0),'name')}%)\ \ %=line:\ %l/%L\ \|\ column:\ %c%V\ \|\ relative\:\ %p%%\
set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)\ \ %=line:\ %l/%L\ \|\ col:\ %c%V\ \|\ %p%%
" Always show status line, even for one window
set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue

4
files/homedirs/sysadm/_bashrc
View File

@@ -73,3 +73,7 @@ export LINES=64
## - set beep more quiet ## - set beep more quiet
## - ## -
#xset b 10 500 50 #xset b 10 500 50
# turn off the beep (only in bash tab-complete ?)
# only if interactiv shell
[[ "$-" =~ "i" ]] && bind 'set bell-style none'

35
files/homedirs/sysadm/_profile
View File

@@ -1,24 +1,37 @@
# ~/.profile: executed by Bourne-compatible login shells. # ~/.profile: executed by Bourne-compatible login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
if [ "$BASH" ]; then # the default umask is set in /etc/profile; for setting the umask
if [ -f ~/.bashrc ]; then # for ssh logins, install and configure the libpam-umask package.
. ~/.bashrc #umask 022
fi
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi fi
# set PATH so it includes user's private bin if it exists # set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH" PATH="$HOME/bin:$PATH"
fi fi
if [ -d "$HOME/bin/admin-stuff" ] ; then
PATH="$HOME/bin/admin-stuff:$PATH" # set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi fi
# this is for the midnight-commander # this is for the midnight-commander
# to become the last directory the midnight commander was in # to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander # as the current directory when leaving the midnight commander
# #
# . /usr/lib/mc/bin/mc.sh if [ -f "/usr/share/mc/bin/mc.sh" ]; then
. /usr/share/mc/bin/mc.sh source /usr/share/mc/bin/mc.sh
elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then
mesg n source /usr/lib/mc/bin/mc.sh
fi

2
files/homedirs/sysadm/_vimrc
View File

@@ -175,4 +175,6 @@ set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\
set laststatus=2 set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue highlight StatusLine cterm=none ctermfg=white ctermbg=blue
set belloff=all
colorscheme PaperColor colorscheme PaperColor

173
files/homedirs/sysadm/_vimrc.BAK
View File

@@ -1,173 +0,0 @@
" An example for a vimrc file.
"
" Maintainer: Bram Moolenaar <Bram@vim.org>
" Last change: 1999 Sep 09
"
" To use it, copy it to
" for Unix and OS/2: ~/.vimrc
" for Amiga: s:.vimrc
" for MS-DOS and Win32: $VIM\_vimrc
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages available in Debian.
runtime! debian.vim
set nocompatible " Use Vim defaults (much better!)
set bs=2 " allow backspacing over everything in insert mode
set ai " always set autoindenting on
" set backup " keep a backup file
"set viminfo='20,\"50 " read/write a .viminfo file, don't store more
" than 50 lines of registers
set viminfo='20,\"50,:20,%,n~/.viminfo
set history=50 " keep 50 lines of command line history
set ruler " show the cursor position all the time
set ignorecase " suchen case-insenitiv
set showmatch " zeige passende klammern
set shell=/bin/bash " shell to start with !
set expandtab " tabs --> blanks
set showmode " anzeige INSERT/REPLACE/...
" set smartcase " Do smart case matching
set incsearch " Incremental search
" Start searching when you type the first character of
" the search string. As you type in more characters, the
" search is refined.
set t_Co=256 " To enable 256 colors in vim, put this your .vimrc before setting the colorscheme
" einrueckung
set shiftwidth=3
set tabstop=3
" Round indent to multiple of 'shiftwidth' for > and < commands
set shiftround
" For Win32 GUI: remove 't' flag from 'guioptions': no tearoff menu entries
" let &guioptions = substitute(&guioptions, "t", "", "g")
" Don't use Ex mode, use Q for formatting
map Q gq
" Make p in isual Visual mode replace the selected text with the "" register.
vnoremap p <Esc>:let current_reg = @"<CR>gvdi<C-R>=current_reg<CR><Esc>
" Switch syntax highlighting on, when the terminal has colors
" Also switch on highlighting the last used search pattern.
if &t_Co > 2 || has("gui_running")
syntax on
set hlsearch
endif
" Only do this part when compiled with support for autocommands.
if has("autocmd")
" In text files, always limit the width of text to 78 characters
autocmd BufRead *.txt set tw=78
augroup cprog
" Remove all cprog autocommands
au!
" When starting to edit a file:
" For C and C++ files set formatting of comments and set C-indenting on.
" For other files switch it off.
" Don't change the order, it's important that the line with * comes first.
autocmd FileType * set formatoptions=tcql nocindent comments&
autocmd FileType c,cpp set formatoptions=croql cindent comments=sr:/*,mb:*,el:*/,://
augroup END
augroup gzip
" Remove all gzip autocommands
au!
" Enable editing of gzipped files
" set binary mode before reading the file
autocmd BufReadPre,FileReadPre *.gz,*.bz2 set bin
autocmd BufReadPost,FileReadPost *.gz call GZIP_read("gunzip")
autocmd BufReadPost,FileReadPost *.bz2 call GZIP_read("bunzip2")
autocmd BufWritePost,FileWritePost *.gz call GZIP_write("gzip")
autocmd BufWritePost,FileWritePost *.bz2 call GZIP_write("bzip2")
autocmd FileAppendPre *.gz call GZIP_appre("gunzip")
autocmd FileAppendPre *.bz2 call GZIP_appre("bunzip2")
autocmd FileAppendPost *.gz call GZIP_write("gzip")
autocmd FileAppendPost *.bz2 call GZIP_write("bzip2")
" After reading compressed file: Uncompress text in buffer with "cmd"
fun! GZIP_read(cmd)
let ch_save = &ch
set ch=2
execute "'[,']!" . a:cmd
set nobin
let &ch = ch_save
execute ":doautocmd BufReadPost " . expand("%:r")
endfun
" After writing compressed file: Compress written file with "cmd"
fun! GZIP_write(cmd)
if rename(expand("<afile>"), expand("<afile>:r")) == 0
execute "!" . a:cmd . " <afile>:r"
endif
endfun
" Before appending to compressed file: Uncompress file with "cmd"
fun! GZIP_appre(cmd)
execute "!" . a:cmd . " <afile>"
call rename(expand("<afile>:r"), expand("<afile>"))
endfun
augroup END
" This is disabled, because it changes the jumplist. Can't use CTRL-O to go
" back to positions in previous files more than once.
if 0
" When editing a file, always jump to the last cursor position.
" This must be after the uncompress commands.
autocmd BufReadPost * if line("'\"") && line("'\"") <= line("$") | exe "normal `\"" | endif
endif
endif " has("autocmd")
" toggle syntax highlighting
map <F12> :if exists("syntax_on") <Bar> syntax off <Bar> else <Bar> syntax on <Bar> endif <CR><ESC>
map <F11> :nohls <CR>
" use <F6> to toggle line numbers
nmap <silent> <F6> :set number!<CR>
" If using a dark background within the editing area and syntax highlighting
" turn on this option as well
set background=dark
" set color for search
hi clear search
hi search term=bold,reverse cterm=bold,reverse gui=bold,reverse
" set color for Comment
hi clear Comment
"highlight Comment term=bold cterm=bold ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=LightBlue guifg=#80a0ff gui=bold
"highlight Comment term=bold cterm=bold ctermfg=grey guifg=#80a0ff gui=bold
highlight Comment term=none cterm=none ctermfg=grey guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=177 guifg=#80a0ff gui=bold
"highlight Comment term=none cterm=none ctermfg=215 guifg=#80a0ff gui=bold
" Go back to the position the cursor was on the last time this file was edited
au BufReadPost * if line("'\"") > 0 && line("'\"") <= line("$")|execute("normal `\"")|endif
" visual shifting (does not exit Visual mode)
vnoremap < <gv
vnoremap > >gv
" Scroll when cursor gets within 3 characters of top/bottom edge
set scrolloff=3
" Show line, column number, and relative position within a file in the status line
" set statusline=%F%m%r%h%w\ [FORMAT=%{&ff}]\ [TYPE=%Y]\ [ASCII=\%03.3b]\ [HEX=\%02.2B]\ [POS=%04l,%04v][%p%%]\ [LEN=%L]
"set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)%(\|\ syntax:\ %{synIDattr(synID(line('.'),col('.'),0),'name')}%)\ \ %=line:\ %l/%L\ \|\ column:\ %c%V\ \|\ relative\:\ %p%%\
set statusline=\ %F\ %(\|\ flags:\ %R%M%H%W\ %)%(\|\ type:\ %Y\ %)%(\|\ format:\ %{&ff}\ %)\ \ %=line:\ %l/%L\ \|\ col:\ %c%V\ \|\ %p%%
" Always show status line, even for one window
set laststatus=2
highlight StatusLine cterm=none ctermfg=white ctermbg=blue

8
files/homedirs/webadmin/_profile
View File

@@ -25,6 +25,8 @@ fi
# to become the last directory the midnight commander was in # to become the last directory the midnight commander was in
# as the current directory when leaving the midnight commander # as the current directory when leaving the midnight commander
# #
#. /usr/lib/mc/bin/mc.sh if [ -f "/usr/share/mc/bin/mc.sh" ]; then
. /usr/share/mc/bin/mc.sh source /usr/share/mc/bin/mc.sh
elif [ -f "/usr/lib/mc/bin/mc.sh" ] ; then
source /usr/lib/mc/bin/mc.sh
fi

419
ga-eh-gw.oopen.de.yml Normal file
View File

@@ -0,0 +1,419 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.80.1
netmask: 24
gateway: 172.16.80.254
#nameservers:
# - 192.168.81.1
# - 172.16.81.254
#search: ga.netz ga.intra
- device: eno2
headline: eno2 - Uplink Telekom (static line via digitbox)
auto: true
family: inet
method: static
address: 172.16.81.1
netmask: 24
gateway: 172.16.81.254
- device: eno5
headline: eno5 - LAN
auto: true
family: inet
method: static
address: 192.168.81.254
netmask: 24
post-up:
# VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET
- /sbin/ip link add link eno5 name eno5.21 type vlan id 21
# VLAN 331 - for Ubiquiti UniFi Accesspoints private NET
- /sbin/ip link add link eno5 name eno5.31 type vlan id 31
- device: eno5.21
headline: eno5 - VLAN 321 (Ubiquiti UniFi Accesspoints Guest NET)
auto: true
family: inet
method: static
address: 10.21.15.254
netmask: 20
- device: eno5.31
headline: eno5 - VLAN 331 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.31.15.254
netmask: 20
- device: eno5:ns
headline: eno5:ns - Alias on eno5 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.81.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if Postfix Mailservice is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: "*/30"
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: "0-59/2"
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: "09"
hour: "3"
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- none
bind9_transfer_source: !!str "192.168.81.1"
bind9_notify_source: !!str "192.168.81.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

171
group_vars/all/main.yml
View File

@@ -1,5 +1,14 @@
--- ---
#ansible_managed: !!str " *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] ***"
ansible_managed: >
*** ANSIBLE MANAGED FILE - DO NOT EDIT ***
# This file was generated by {{ ansible_user_id }} on {{ ansible_date_time.iso8601 }}
# --- # ---
# vars used by roles/ansible_dependencies # vars used by roles/ansible_dependencies
# --- # ---
@@ -20,6 +29,22 @@ apt_ansible_dependencies:
- vim - vim
- vlan - vlan
# software-properties-common no longer available
apt_ansible_dependencies_trixie:
- apt-transport-https
- ca-certificates
- dbus
- lsb-release
- mc
- net-tools
- openssl
- python-apt-common
- python3
- python3-apt
- sudo
- vim
- vlan
# --- # ---
# vars used by roles/ansible_user # vars used by roles/ansible_user
@@ -636,6 +661,129 @@ apt_initial_install_bookworm:
- btrfs-progs - btrfs-progs
- fdisk - fdisk
# mime-support no longer exists
# rcconf no longer exists
apt_initial_install_trixie:
- acl
- aptitude
- apt-utils
- arj
- arp-scan
- attr
- bash
- bash-completion
- bc
- bridge-utils
- btrfs-progs
- bzip2
- coreutils
- cron
- cryptsetup
- curl
- dbus
- debian-keyring
- dnsutils
- dselect
- ethtool
- fdisk
- figlet
- file
- freeipmi-tools
- ftp
- gawk
- gdisk
- gettext
- gettext-base
- gettext-doc
- git
- groff
- groff
- haveged
- hdparm
- htop
- iperf
- ipmitool
- iproute2
- iptables
- iptraf
- iputils-ping
- less
- libio-compress-perl
- libmail-imapclient-perl
- libpcre2-8-0
- libpcre2-16-0
- libpcre2-32-0
- libperl-dev
- libreadline-dev
- librecode3
- librecode-dev
- libterm-readkey-perl
- libterm-readline-gnu-perl
- libterm-readline-perl-perl
- libtimedate-perl
- libtime-duration-perl
- libwww-perl
- links
- locate
- logrotate
- lsb-release
- lshw
- lsof
- lua5.4
- lynx
- man
- mawk
- mc
- moreutils
- mtr
- needrestart
- net-tools
- ntpsec-ntpdate
- openssh-server
- parted
- patch
- patchutils
- perl
- perl-doc
- perl-modules
- psmisc
- quota
- quotatool
- rblcheck
- rdate
- re2c
- recode
- recode-doc
- rsync
- rsyslog
- rush
- screen
- sharutils
- shellcheck
- sipcalc
- smartmontools
- socat
- ssl-cert
- ssl-cert-check
- sudo
- tcpdump
- tmux
- unhide
- universal-ctags
- unzip
- util-linux
- vim
- vim-common
- vim-doc
- vlan
- w3m
- wget
- whois
- wipe
- wipe
- zip
- zsh
apt_initial_install_xenial: apt_initial_install_xenial:
- apt-transport-https - apt-transport-https
@@ -2094,18 +2242,27 @@ root_ssh_keypair: []
default_user: default_user:
- name: chris - name: chris
password: $6$bSHlaLHC$URSMVq090e/cJ1v55Jh9ws0w5WekhO7X3Y0RqryAl5R76K9khWBegC76Smjastja.xMiD57/LzUUXW7y9NvAL. password: $y$j9T$RY2Nt/UmjMjxuyAhKXxMV0$IPvnS5XkNBluEiOARFmyQLp6GzXA1tY96rW.S9H7U84
shell: /bin/bash shell: /bin/bash
ssh_keys: ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm - name: sysadm
user_id: 1050 user_id: 1050
group_id: 1050 group_id: 1050
group: sysadm group: sysadm
password: $6$EEVWxA5E$bNxU8EOp/tTcYVghFharUM10k3vRt2siEnIiiznfGmhMSM6zJTP0umdxql9VVEj856oKa.Sp.q3N2nthgNMeN1 password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: sysadm
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash shell: /bin/bash
ssh_keys: ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
@@ -2115,7 +2272,7 @@ default_user:
user_id: 1060 user_id: 1060
group_id: 1060 group_id: 1060
group: back group: back
password: $6$GntX81EP$O1GEmQF.BbOQfTMMw/m/BDKSXmANVpqmz0nyzw4O4R2/iK9huGOAjT/2eq8FVdMghvNOvdwrWtwohO.Mg4V9n. password: $y$j9T$FLeyg8Xy09ppHGVbKOr5l1$XJbJdjX7XlS5QeiTzBvl2dMYcC0AxIylkvayJgFR3CC
shell: /bin/bash shell: /bin/bash
ssh_keys: ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
@@ -2787,6 +2944,8 @@ ipv6_address: ''
is_relay_host: is_relay_host:
# support_dmarc_reporting:
# sasl_auth_enable: # sasl_auth_enable:
# #
# possible values are: # possible values are:
@@ -2932,6 +3091,10 @@ samba_netbios_name:
# #
samba_server_min_protocol: [] samba_server_min_protocol: []
# samba_allow_insecure_wide_links
#
samba_allow_insecure_wide_links: !!str no
samba_groups: [] samba_groups: []
# samba_user: # samba_user:

175
host_vars/172.16.82.197.yml Normal file
View File

@@ -0,0 +1,175 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
copy_additional_plain_files_sysctl:
- name: enable-ipv6
src_path: etc/sysctl.d/30-enable-ipv6.conf
dest_path: /etc/sysctl.d/30-enable-ipv6.conf
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
#sshd_hostkeyalgorithms:
# - ssh-ed25519
# - ssh-ed25519-cert-v01@openssh.com
# - rsa-sha2-256
# - rsa-sha2-512
# - ecdsa-sha2-nistp256
# - rsa-sha2-256-cert-v01@openssh.com
# - rsa-sha2-512-cert-v01@openssh.com
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- akb.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $y$j9T$IVBTpn.OrI6YiQ9q3fA8b1$Y1bmID5yXJbKfoLFt1VmQs6LezeTj5/1M9ppZBD2Pn4

2
host_vars/a.mx.oopen.de.yml
View File

@@ -214,6 +214,8 @@ ipv6_address: 2a01:4f9:4a:47e5::247
admin_email: argus@oopen.de admin_email: argus@oopen.de
is_relay_host: !!str "false" is_relay_host: !!str "false"
support_dmarc_reporting: !!str "true"
db_in_use: !!str "true" db_in_use: !!str "true"
# postfix_db_type # postfix_db_type
# #

78
host_vars/anita.wf.netz.yml
View File

@@ -55,14 +55,6 @@ extra_user:
ssh_keys: ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
- name: christian
user_id: 1005
group_id: 1005
password: $6$2paWmEea$G51JZDzjjDNE75aBl/xuM1dyH.FWYHwNCRHeKWkHhxjUmRRC/v.hhNh5jOk5EbVWDeVh7r5dz1tO2HTZUMftb1
shell: /bin/bash
ssh_keys:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCb6ngLE9Vh0H6IqiHF2yeQX11kCeVE4QaK8Ca0Ogqtz8drC4/3Ugl9ZDtJR+UH+GpP/bOQZDTGF6f+p8dNlfpeoHZ92Yg62yMeD9qx9iQT8NeloLvpHk3B3NV10Lrff/zoeTGP7U8zKvLQsYnCwSPEodKEsxbf5mFcJN13/m+PW3tW0veRtYGvBwhimxidpSr+DLcRTZrZGs2Jf8BVqqAL0BIdH7exuLeKpACQzDAk10+DfLTNEXPgZ5jNBu3MBXqjyNRTTU+wEGAyUmHxv+ZJfjeBIM2Hgkl+lp2Bi5qQlsUduYtbXXrPQZzbgzIk+Rr0yY7/mfYSEXR41Uqv1QLScs2+Dpf713Lyr7H97bf64m1mzLd5vrps94JlqHSmcRzqENsW7HpdRmnpD7R+2lJe2faVX1HIT/mh/PjMItefbOhgV5FtcHcUiINVqi/4bmK68fPTXD+OBLuOHRkp1rYME6Z9pxXa6H6Ji8rIGOAHf2XyGqbvR80pG8n/jMk8AmaZLlvzCk1YAocphZDFAV/jm5zwFiUCzrND6mz4xCWJ8lJb2ZPoQpuGUppg/agoASFPeimbJp5zRuUp9tLL1xra0b9NjAA42M6ju1CkDvvNnRGEk/E9AD/G6v4AxHP5dzzmIlLSS6sNIDADPkdIfRhwe1Y7aF3TrYNq/P97Z1whtQ== schroeder@Christians-MacBook-Pro.local'
- name: annette - name: annette
user_id: 1006 user_id: 1006
group_id: 1006 group_id: 1006
@@ -72,6 +64,76 @@ extra_user:
- 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna' - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC5IhVprsvVOcFPbZzD9xR0nCjZ/9qVG6RhLJ7QBSts81nRvLwnmvcMBHSf5Rfaigey7Ff5dLHfJnxRE0KDATn6n2yd/5mXpn2GAA8hDVfhdsmsb5U7bROjZNr8MmIUrP7c3msUGx1FtvzhwxtyvIWOFQpWx+W5biBa6hFjIxT1pkUJqe6fclp7xbGYKZiqZRBS4qKG5CpKnisuOYDsqYPND+OkU+PShoxGVzp1JywIVze7qeKv6GyYbRA9SP9Np+5Mit6B21Io4zOI81c2Rz6sPX7mwEAQEs7iCm2hzG8qJws45Lb4ERqDkVEVhGNUyHjHgGebS1sZx1mLExdurXlPm1l/EamkncDFDCutHXtLP7lsFFiym7fKUjSEgiiLmyu5Xm+mwZvesKa1FYNaeiFWfYZpCJrNzIk+ffs+mgg3kmL4Sd4Ooy7jXPX+WJe5Xyh1KLU/+Wj2TVrhN+LbmupYAti/Wgd3DA1v601svmG82aLmyJRtKC0rGMePH3kDbtqU72kYpzI8mXERe1TIQ00Z77kQBR/7BF/9y5/0YmYDcXt1wNCoSie+mzz3xYcEdLAc7T+DhYpd4M6VgWnuz/exzRzhQwoSdEKkEED8CpEoBrEWEiMdrlElGmlkVomLU7P9i9j1rshX/pAq0asnqeSoPdC3vNbU3keiJQnhIHECvw== chris@luna'
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# --- # ---
# vars used by roles/common/tasks/users-systemfiles.yml # vars used by roles/common/tasks/users-systemfiles.yml
# --- # ---

5
host_vars/backup.oopen.de.yml
View File

@@ -280,10 +280,13 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMHxvK5kzKgypVi8ZvshveSpyo0eSXiBCnAC5Pcjdgv root@discourse' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMHxvK5kzKgypVi8ZvshveSpyo0eSXiBCnAC5Pcjdgv root@discourse'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy5WM1qsLE2SRwWG1Y38WJcMYUpL8MuQiraqiXfHzaH root@e.mx' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDy5WM1qsLE2SRwWG1Y38WJcMYUpL8MuQiraqiXfHzaH root@e.mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvOkCWNKUJ5o9e+0NhY4IFZv8LA7tkkkEFjr8nqFKhe root@formbricks-nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvOkCWNKUJ5o9e+0NhY4IFZv8LA7tkkkEFjr8nqFKhe root@formbricks-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7KbEZApiqEcU4aK3A2J8hy+r1uV7TZupwm4CHGqLPH root@ga-gh-gw'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPbony+4g4iFS32Cv/Bkmet4FsCAsrGTffwWm2eM16x root@git.warenform' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPbony+4g4iFS32Cv/Bkmet4FsCAsrGTffwWm2eM16x root@git.warenform'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDqqmBWh3qmnx41NiLCn1LhVG0mn4++IUvRNC0OMh6h6 root@gitoea'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICR9o0+6jnfmXKOedKP6IZgt5lRIPFSJJ4FbMjz2SPkH root@gw-campus'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYFe6i0UdPRyENvfaJSJVCHtmnlJmhbqGEsdIlTapsj root@initiativenserver' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBYFe6i0UdPRyENvfaJSJVCHtmnlJmhbqGEsdIlTapsj root@initiativenserver'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ54/I+TdZUA+Xc6bixSa3f0hN5y4kWW+xl9kqSZPBYS root@keycloak-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO886BNZ/o9aBwkKqHku+MjS5/GEVRBbXXSF76ry7oZR root@mail-cadus' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO886BNZ/o9aBwkKqHku+MjS5/GEVRBbXXSF76ry7oZR root@mail-cadus'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsPJQGHl1GVZ3yPl3Oi3xlH+EUsN1/EWDY2XAohag/P root@mail-fm' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKsPJQGHl1GVZ3yPl3Oi3xlH+EUsN1/EWDY2XAohag/P root@mail-fm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICM4+Zvs5SY3E2cAMdnta1BujzudGg/97nz+nE5sipVD root@matomo-01' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICM4+Zvs5SY3E2cAMdnta1BujzudGg/97nz+nE5sipVD root@matomo-01'
@@ -301,6 +304,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTxl1BwIslVhsiFCZeRlgwoSO2ahaHWwMeiKAIRFJm6 root@o13-pad' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMTxl1BwIslVhsiFCZeRlgwoSO2ahaHWwMeiKAIRFJm6 root@o13-pad'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHl2xONyeBX/gnJ4iVeSVoxu/W6ku2VorA5gxAbp95q root@o13-staging-board' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBHl2xONyeBX/gnJ4iVeSVoxu/W6ku2VorA5gxAbp95q root@o13-staging-board'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaXEVvhblxX045H2/B/6RJmoW77WOKJM5FQfvMUPCIs root@o13-web' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaXEVvhblxX045H2/B/6RJmoW77WOKJM5FQfvMUPCIs root@o13-web'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAp24VDXOsa0MuzGFaFa3CPDUsnA/ASojHAiN344m+dP root@o14'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcQ9MFqTMOmjnec4ftUJAYiAe8p7pp7a5EBSIM0A5ji root@o17' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcQ9MFqTMOmjnec4ftUJAYiAe8p7pp7a5EBSIM0A5ji root@o17'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFstQOOM/U18SV27+XTtBhso+vICK5L4aOGC83QnvS8+ root@o19' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFstQOOM/U18SV27+XTtBhso+vICK5L4aOGC83QnvS8+ root@o19'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC85aj16Ow1ZPutkp5TmZdxjMsECkhnO64ktc3OYZJHc root@o25-board' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC85aj16Ow1ZPutkp5TmZdxjMsECkhnO64ktc3OYZJHc root@o25-board'
@@ -326,6 +330,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUnxlKIffm8a5BmoQE40h8ut0R6eCxcm+Iewv3evmE9 root@oolm-shop' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUnxlKIffm8a5BmoQE40h8ut0R6eCxcm+Iewv3evmE9 root@oolm-shop'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ylglAkPst7G6kES2lE96ECp0AGXGjzCVkZSqGVru6 root@oolm-shop-dev' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ylglAkPst7G6kES2lE96ECp0AGXGjzCVkZSqGVru6 root@oolm-shop-dev'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEJJCzTmrRp0s0qpkf9HYyx4lL+zs1jTAYcCsvqpJ72p root@super-opferhilfefonds'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID82UUUkYKYFbJdmTcMYu+vl3M0FVQznXFbngqPoumP+ root@prometheus-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJU5HzfGYZwWeaoAGGFF7/3VQP19ce6Rgn5wcOR98Q3o root@server26'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfCFz6mPdn3TKVCgffHQAKt3LN/0srS/gBsMoOyZpi root@shop-agr'

3
host_vars/backup.warenform.de.yml
View File

@@ -252,6 +252,9 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1RkJYM8qcEagoKt9gNVaeBbXZEJscqIBNnhL/KZfSA root@munin.oopen.de' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1RkJYM8qcEagoKt9gNVaeBbXZEJscqIBNnhL/KZfSA root@munin.oopen.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj2SdZgxG4NCjUiCXY7msCG+Vn6MQ5jsGxrs2qn1QZh root@mx' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIj2SdZgxG4NCjUiCXY7msCG+Vn6MQ5jsGxrs2qn1QZh root@mx'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQAvCK/h7+8h8hPm3WyeEdBbhY4SdOSWJYxuFW24XbM root@nd' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQAvCK/h7+8h8hPm3WyeEdBbhY4SdOSWJYxuFW24XbM root@nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICwG3cYT1S5ttaf7OCB2dfBAg4FFA3OO3HPTkiclaVFi root@server22'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyse/Fby2JiHjM10uotVfsBYO0W1EgmtFG2q+Q1xe38 root@server24'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIH9V1aqgZSqu7vfK9e5qGKm+ICHd8VglRr0Brm4kXfu root@server25'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOOYhdtNPAQP8BlgSYBaMfWl8Yv4Y9ww7SWeLOn0HXH root@web0' - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOOYhdtNPAQP8BlgSYBaMfWl8Yv4Y9ww7SWeLOn0HXH root@web0'

84
host_vars/cl-irights.oopen.de.yml
View File

@@ -99,6 +99,90 @@ resolved_fallback_nameserver:
- 194.150.168.168 - 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
cron_user_entries:
- name: "Check if webservices sre running. Restart if necessary"
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_webservice_load.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
minute: '*/5'
hour: '*'
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Optimize mysql tables"
minute: '53'
hour: '04'
job: /root/bin/mysql/optimize_mysql_tables.sh
- name: "Flush query cache for mysql tables"
minute: '27'
hour: '04'
job: /root/bin/mysql/flush_query_cache.sh
- name: "Flush Host cache"
minute: '17'
hour: '05'
job: /root/bin/mysql/flush_host_cache.sh
- name: "Run occ file:scan for each cloud account"
minute: '02'
hour: '23'
job: /root/bin/nextcloud/occ_maintenance.sh -s cloud-irights.oopen.de
- name: "Background job for nextcloud instance 'cloud-irights.oopen.de"
minute: '*/15'
hour: '*'
job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud-irights.oopen.de/htdocs/cron.php
- name: "Check if certificates for coolwsd service are up to date"
minute: '17'
hour: '05'
job: /root/bin/nextcloud/check_cert_coolwsd.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# --- # ---
# vars used by roles/common/tasks/users.yml # vars used by roles/common/tasks/users.yml
# --- # ---

56
host_vars/mm-irights-neu.oopen.de.yml → host_vars/devel-db.wf.netz.yml
View File

@@ -1,5 +1,10 @@
--- ---
# ---
# vars used by roles/network_interfaces
# ---
# --- # ---
# vars used by roles/ansible_dependencies # vars used by roles/ansible_dependencies
# --- # ---
@@ -41,8 +46,8 @@ systemd_resolved: true
# IPv6: 2606:4700:4700::1111 # IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse # sekundäre DNS-Adresse
# IPv4: 1.0.0.1 # IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001 # IPv6: 2606:4700:4700::1001
# #
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit # Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse # primäre DNS-Adresse
# IPv4: 8.8.8.8 # IPv4: 8.8.8.8
@@ -53,20 +58,20 @@ systemd_resolved: true
# #
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug # Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse # primäre DNS-Adresse
# IPv4: 9.9.9.9 # IPv4: 9.9.9.9
# IPv6: 2620:fe::fe # IPv6: 2620:fe::fe
# sekundäre DNS-Adresse # sekundäre DNS-Adresse
# IPv4: 149.112.112.112 # IPv4: 149.112.112.112
# IPv6: 2620:fe::9 # IPv6: 2620:fe::9
# #
# OpenNIC - https://www.opennic.org/ # OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de # IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de # IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de # IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de # IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de # IPv6: 2a00:f826:8:2::195 - ns31.de
# #
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS) # Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255 # IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000:: # IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net # Servername für DNS-over-TLS: dot.ffmuc.net
@@ -75,20 +80,17 @@ systemd_resolved: true
# Servername für DNS-over-TLS: dot.ffmuc.net # Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver: resolved_nameserver:
- 185.12.64.2 - 192.168.52.1
- 2a01:4ff:ff00::add:1
- 185.12.64.1
- 2a01:4ff:ff00::add:2
# search domains # search domains
# #
# If there are more than one search domains, then specify them here in the order in which # If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them # the resolver should also search them
# #
#resolved_domains: [] #resolved_domains: []
resolved_domains: resolved_domains:
- ~. - ~.
- oopen.de - wf.netz
resolved_dnssec: false resolved_dnssec: false
@@ -98,6 +100,11 @@ resolved_fallback_nameserver:
- 194.150.168.168 - 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# --- # ---
# vars used by roles/common/tasks/users.yml # vars used by roles/common/tasks/users.yml
# --- # ---
@@ -129,10 +136,20 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/git.yml # vars used by roles/common/tasks/git.yml
# --- # ---
git_firewall_repository:
name: ipt-server # ---
repo: https://git.oopen.de/firewall/ipt-server # vars used by roles/common/tasks/nfs.yml
dest: /usr/local/src/ipt-server # ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ============================== # ==============================
@@ -144,4 +161,3 @@ git_firewall_repository:
root_user: root_user:
name: root name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq. password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

163
host_vars/devel-php.wf.netz.yml Normal file
View File

@@ -0,0 +1,163 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

163
host_vars/devel-repos.wf.netz.yml Normal file
View File

@@ -0,0 +1,163 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

163
host_vars/devel-wiki.wf.netz.yml Normal file
View File

@@ -0,0 +1,163 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.52.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- wf.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

652
host_vars/file-ah-neu.kanzlei-kiel.netz.yml Normal file
View File

@@ -0,0 +1,652 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device eno1np0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 7c:c2:55:c0:26:74
description:
address: 192.168.100.20
netmask: 24
gateway: 192.168.100.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 192.168.100.1
#search: kanzlei-kiel.netz
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: eno1np0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up:
- !!str "ip link set dev eno1np0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.100.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- kanzlei-kiel.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: 9xFXkdPR_2
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: Iar-zrq4wG.2
- name: winadm
user_id: 1055
group_id: 1055
group: winadm
append: true
groups:
- sysadm
home: /home/winadm
password: $y$j9T$FIN.5hpIbyFh/zx8a3xVZ.$jn9b12BUW57PEXGp3288t/dVBB7glyTgj/58QyYOG7D
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7MKFmJ2kJrNs5DhlPqfizZgz3wNpzFAITo63p/VBOe root@file-ah'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItQLQ7lhBY2USF4Jcp4teF+1NydI73VeHYbQW8q4Mcw root@gw-ah'
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if postfix mailservice is running. Restart service if needed."
minute: "*/5"
hour: "*"
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors."
minute: "*/30"
hour: "*"
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Clean up Samba Trash Dirs"
minute: "02"
hour: "23"
job: /root/bin/samba/clean_samba_trash.sh
- name: "Set (group and access) Permissons for Samba shares"
minute: "14"
hour: "23"
job: /root/bin/samba/set_permissions_samba_shares.sh
- name: "Check if ntpsec is running. Restart service if needed."
minute: "*/6"
hour: "*"
job: /root/bin/monitoring/check_ntpsec_service.sh
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
#cron_user_special_time_entries:
#
# - name: "Restart DNS Cache service 'systemd-resolved'"
# special_time: reboot
# job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
# insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
nfs_server: 192.168.100.20
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.100.20
samba_server_cidr_prefix: 24
samba_workgroup: AH-NEU
samba_netbios_name: FILE-AH-NEU
samba_groups:
- name: verwaltung
group_id: 120
- name: intern
group_id: 121
- name: hoffmann-elberling
group_id: 122
- name: gubitz-partner
group_id: 123
- name: sysadm
group_id: 1050
- name: install
group_id: 1070
samba_user:
- name: chris
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: test
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: buero
groups:
- verwaltung
- intern
- hoffmann-elberling
password: 'buero2011'
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: gubitz
groups:
- intern
- verwaltung
- gubitz-partner
password: '20gubitz12'
- name: schaar
groups:
- intern
- verwaltung
- gubitz-partner
password: '20schaar12'
- name: molkentin
groups:
- intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: buerooben
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: buchholz
groups:
- buero
- intern
- verwaltung
password: '20-buch_holz-20'
- name: kiel-nb1
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book1-20'
- name: kiel-nb2
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book2-20'
- name: schmidt
groups:
- intern
- verwaltung
- gubitz-partner
password: '20-schmidt_21%'
- name: simone.schnoenmehl
groups:
- intern
- gubitz-partner
password: '20-simone-schnoenmehl-22%'
- name: heckert
groups:
- intern
- gubitz-partner
password: '0-heckert.22%'
- name: hh-lucke
groups: []
password: 'Ole20Steffen_17'
- name: hh-kanzlei
groups: []
password: '20-HH_18-Kanzlei'
- name: hh-jaenicke
groups: []
password: '20-th.jaenicke_%20'
- name: hh-pueschel
groups: []
password: '20-HH_caro.pueschel-%21'
- name: hh-kell
groups: []
password: '20-an.kell-%24'
- name: hh-neumann
groups: []
password: '20.neu-mann_%24'
# password: Iar-zrq4wG.2
- name: winadm
groups:
- sysadm
- install
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31326630303038396164656266623339353031336434376531383133643266656133363165316532
6364343131656235313432356230646337373362343938660a393031323561326438653935393632
34373464313666343433626635656261323933353631393632626166643738386333636639303334
3661613165626230640a306236363161356239306232633565336131303066383464626164636133
3038
- name: hh-stork
groups: []
password: '20-ni-na.stork_%24'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
# password: 9xFXkdPR_2
- name: sysadm
groups:
- buero
- install
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35323634653231353634343232326436393435386366396364373766306135636536323165656362
3138366263316231333038343930313134333565373566640a363932616535343538376333313335
64326566643163366533356464326339653236636562363336633738656631626433306661323835
3337663865333636660a626131366161636433613561613235333831653733383365623564313431
6439
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
samba_shares:
- name: Buero
path: /data/samba/shares/Buero
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Verwaltung
path: /data/samba/shares/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Scans_schnell
path: /data/samba/shares/Scans_schnell
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Hoffmann-Elberling
path: /data/samba/shares/Hoffmann-Elberling
group_valid_users: hoffmann-elberling
group_write_list: hoffmann-elberling
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Partner
path: /data/samba/shares/Gubitz-Partner
group_valid_users: gubitz-partner
group_write_list: gubitz-partner
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Backup
path: /data/samba/non-backup-shares/Gubitz-Backup
group_valid_users: gubitz
group_write_list: gubitz
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Install
path: /data/samba/shares/install
group_valid_users: install
group_write_list: install
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup
group_valid_users: sysadm
group_write_list: sysadm
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ---
# - This share will be written by windows schedulescript 'backup-advoware.bat'
# ---
- name: Advoware-Backup
comment: Advoware-Backup (only read) on Fileserver
path: /data/samba/shares/Advoware-Backup
group_valid_users: back
group_write_list: back
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

279
host_vars/file-ah.kanzlei-kiel.netz.yml
View File

@@ -168,6 +168,72 @@ resolved_fallback_nameserver:
- 194.150.168.168 - 194.150.168.168
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: 9xFXkdPR_2
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: Iar-zrq4wG.2
- name: winadm
user_id: 1055
group_id: 1055
group: winadm
append: true
groups:
- sysadm
home: /home/winadm
password: $y$j9T$FIN.5hpIbyFh/zx8a3xVZ.$jn9b12BUW57PEXGp3288t/dVBB7glyTgj/58QyYOG7D
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7MKFmJ2kJrNs5DhlPqfizZgz3wNpzFAITo63p/VBOe root@file-ah'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItQLQ7lhBY2USF4Jcp4teF+1NydI73VeHYbQW8q4Mcw root@gw-ah'
# --- # ---
# vars used by roles/common/tasks/cron.yml # vars used by roles/common/tasks/cron.yml
# --- # ---
@@ -247,50 +313,6 @@ samba_groups:
samba_user: samba_user:
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: buchholz
groups:
- buero
- intern
- verwaltung
password: '20-buch_holz-20'
- name: buero
groups:
- verwaltung
- intern
password: 'buero2011'
- name: buerooben
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: chris - name: chris
groups: groups:
- buero - buero
@@ -306,6 +328,43 @@ samba_user:
6631333038306462610a356535633265633563633962333137326533633834636331343562633765 6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631 3631
- name: test
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: buero
groups:
- verwaltung
- intern
- hoffmann-elberling
- gubitz-partner
password: 'buero2011'
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: gubitz - name: gubitz
groups: groups:
- intern - intern
@@ -313,39 +372,33 @@ samba_user:
- gubitz-partner - gubitz-partner
password: '20gubitz12' password: '20gubitz12'
- name: heckert - name: schaar
groups: groups:
- intern - intern
- verwaltung
- gubitz-partner - gubitz-partner
password: '0-heckert.22%' password: '20schaar12'
- name: hh-jaenicke - name: molkentin
groups: [] groups:
password: '20-th.jaenicke_%20' - intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: hh-kanzlei - name: buerooben
groups: [] groups:
password: '20-HH_18-Kanzlei' - intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: hh-lucke - name: buchholz
groups: [] groups:
password: 'Ole20Steffen_17' - buero
- intern
- name: hh-kell - verwaltung
groups: [] password: '20-buch_holz-20'
password: '20-an.kell-%24'
- name: hh-neumann
groups: []
password: '20.neu-mann_%24'
- name: hh-pueschel
groups: []
password: '20-HH_caro.pueschel-%21'
- name: hh-stork
groups: []
password: '20-ni-na.stork_%24'
- name: kiel-nb1 - name: kiel-nb1
groups: groups:
@@ -365,20 +418,6 @@ samba_user:
- hoffmann-elberling - hoffmann-elberling
password: '20-note%book2-20' password: '20-note%book2-20'
- name: molkentin
groups:
- intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: schaar
groups:
- intern
- verwaltung
- gubitz-partner
password: '20schaar12'
- name: schmidt - name: schmidt
groups: groups:
- intern - intern
@@ -392,6 +431,63 @@ samba_user:
- gubitz-partner - gubitz-partner
password: '20-simone-schnoenmehl-22%' password: '20-simone-schnoenmehl-22%'
- name: heckert
groups:
- intern
- gubitz-partner
password: '0-heckert.22%'
- name: hh-lucke
groups: []
password: 'Ole20Steffen_17'
- name: hh-kanzlei
groups: []
password: '20-HH_18-Kanzlei'
- name: hh-jaenicke
groups: []
password: '20-th.jaenicke_%20'
- name: hh-pueschel
groups: []
password: '20-HH_caro.pueschel-%21'
- name: hh-kell
groups: []
password: '20-an.kell-%24'
- name: hh-neumann
groups: []
password: '20.neu-mann_%24'
# password: Iar-zrq4wG.2
- name: winadm
groups:
- sysadm
- install
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31326630303038396164656266623339353031336434376531383133643266656133363165316532
6364343131656235313432356230646337373362343938660a393031323561326438653935393632
34373464313666343433626635656261323933353631393632626166643738386333636639303334
3661613165626230640a306236363161356239306232633565336131303066383464626164636133
3038
- name: hh-stork
groups: []
password: '20-ni-na.stork_%24'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
# password: 9xFXkdPR_2 # password: 9xFXkdPR_2
- name: sysadm - name: sysadm
groups: groups:
@@ -409,19 +505,6 @@ samba_user:
3337663865333636660a626131366161636433613561613235333831653733383365623564313431 3337663865333636660a626131366161636433613561613235333831653733383365623564313431
6439 6439
# password: Iar-zrq4wG.2
- name: winadm
groups:
- sysadm
- install
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31326630303038396164656266623339353031336434376531383133643266656133363165316532
6364343131656235313432356230646337373362343938660a393031323561326438653935393632
34373464313666343433626635656261323933353631393632626166643738386333636639303334
3661613165626230640a306236363161356239306232633565336131303066383464626164636133
3038
base_home: /home base_home: /home
# remove_samba_users: # remove_samba_users:

16
host_vars/file-blkr.blkr.netz.yml
View File

@@ -201,7 +201,7 @@ cron_user_special_time_entries:
sudoers_file_user_aliases: sudoers_file_user_aliases:
- name: MAIN_USER - name: MAIN_USER
entry: 'josephine, julius, julius-e, sebastian' entry: 'josephine, julius, julius-e, leonie, buero1, buero2, buero3, referendariat, refa, ref1, sebastian, buero-05, buero-06, lap-01'
sudoers_file_cmnd_aliases: sudoers_file_cmnd_aliases:
- name: REBOOT - name: REBOOT
@@ -360,6 +360,20 @@ samba_user:
groups: groups:
- buero - buero
password: 'N-ba2R+i/2eM' password: 'N-ba2R+i/2eM'
- name: lap-01
groups:
- buero
password: 'X_2yYs2AIo.E'
- name: clara
groups:
- buero
password: '52uT-/vP.ZpX'
# - name: lap-02
# groups:
# - buero
# password: 'N.i/_UXcG5C9'
base_home: /data/home base_home: /data/home

122
host_vars/file-dissens.dissens.netz.yml
View File

@@ -143,10 +143,105 @@ resolved_fallback_nameserver:
- 194.150.168.168 - 194.150.168.168
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: localadmin
home: /home/localadmin
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
#extra_user:
#
# - name: borg
# user_id: 1065
# group_id: 1065
# group: borg
# home: /home/borg
# password: $y$j9T$SZty9T8ZWbnyHR2S85xaG.$GhxHOKG9fKErT9s5TAehXXyZJSkNaIcXY18Rg1iMyhC
# shell: /bin/bash
# ssh_keys:
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXrNhcgNtZykTgzcwX/L1cL8qpSyQQy75M01UpjdSmA root@file-dissens'
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens'
# --- # ---
# vars used by roles/common/tasks/cron.yml # vars used by roles/common/tasks/cron.yml
# --- # ---
cron_user_entries:
- name: "Daily Backup "
minute: "03"
hour: "00"
job: /root/crontab/backup-rborg2/rborg2.sh
- name: "Check if postfix mailservice is running. Restart service if needed."
minute: "*/5"
hour: "*"
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors."
minute: "*/30"
hour: "*"
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Clean up Samba Trash Dirs"
minute: "02"
hour: "23"
job: /root/bin/samba/clean_samba_trash.sh
- name: "Set (group and access) Permissons for Samba shares"
minute: "14"
hour: "23"
job: /root/bin/samba/set_permissions_samba_shares.sh
- name: "Check if ntpsec is running. Restart service if needed."
minute: "*/6"
hour: "*"
job: /root/bin/monitoring/check_ntpsec_service.sh
cron_user_special_time_entries: cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'" - name: "Restart DNS Cache service 'systemd-resolved'"
@@ -154,12 +249,6 @@ cron_user_special_time_entries:
job: "sleep 10 ; /bin/systemctl restart systemd-resolved" job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH insertafter: PATH
- name: "Restart NTP Service ntpsec"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart intpsec > /dev/null 2>&1"
insertafter: PATH
# --- # ---
# vars used by roles/common/tasks/users.yml # vars used by roles/common/tasks/users.yml
@@ -331,6 +420,12 @@ samba_user:
- team - team
password: '20/l4ur4-s4sse-24?' password: '20/l4ur4-s4sse-24?'
- name: lino.koehler
groups:
- projekte
- team
password: '20.l1no-ko3hl3r_25/'
- name: maite.gabriel - name: maite.gabriel
groups: groups:
- projekte - projekte
@@ -368,6 +463,11 @@ samba_user:
- projekte - projekte
password: '20.ros1tsa-mahd1+24+' password: '20.ros1tsa-mahd1+24+'
- name: selma.albrecht
groups:
- projekte
password: '20-sel-ma.al-brecht/25!'
- name: sarah.klemm - name: sarah.klemm
groups: groups:
- gf - gf
@@ -376,6 +476,16 @@ samba_user:
- verwaltung - verwaltung
password: '20.s4r4h_kl3mm-24!' password: '20.s4r4h_kl3mm-24!'
- name: selma.albrecht
groups:
- projekte
password: '20-sel-ma.al-brecht/25!'
- name: scan
groups:
- team
password: '20-sc4n.25!'
- name: sebastian.scheele - name: sebastian.scheele
groups: groups:
- projekte - projekte

85
host_vars/file-ebs.ebs.netz.yml
View File

@@ -174,6 +174,67 @@ resolved_fallback_nameserver:
- 172.16.182.254 - 172.16.182.254
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: localadmin
home: /home/localadmin
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAMFUnBjVV0WjUlhd2FT49nXlpHUDPEwaJ7bAvRJfB56 root@file-ebs'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBK8Ngbtl8Yjtk1JkT0Xn1HVIAHKdtfh0qicnnJTa3Kx root@gw-ebs'
# --- # ---
# vars used by roles/common/tasks/cron.yml # vars used by roles/common/tasks/cron.yml
# --- # ---
@@ -261,6 +322,9 @@ samba_netbios_name: FILE-EBS
samba_groups: samba_groups:
- name: sysadm
group_id: 1050
- name: admin - name: admin
group_id: 1100 group_id: 1100
@@ -312,6 +376,12 @@ samba_user:
- recherche - recherche
password: 'IrcR3uo-QJ.5' password: 'IrcR3uo-QJ.5'
- name: winadm
groups:
- admin
- sysadm
password: 'ZbPS.Lh6d-9E'
- name: buero - name: buero
groups: groups:
- alle - alle
@@ -452,6 +522,21 @@ samba_shares:
vfs_object_recycle: false vfs_object_recycle: false
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: WinServer2022-Backup
comment: WinServer2022-Backup on Fileserver
path: /data/samba/shares/WinServer2022-Backup
group_valid_users: sysadm
group_write_list: sysadm
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ============================== # ==============================

527
host_vars/file-fm.fm.netz.yml Normal file
View File

@@ -0,0 +1,527 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1np0
# use only once per device (for the first device entry)
headline: eno1 - LAN
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
description:
address: 192.168.222.10
netmask: 24
gateway: 192.168.222.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 192.168.222.1
#search: blkr.netz
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.222.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.132.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.222.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- fm.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$UHsnOrOT5qXnAwrPCzB7A1$jnqz4CHvLEaIke3RxnresjAOS6NfcTxyDH/fbKnXTC/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: localadmin
home: /home/localadmin
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHUvk8+UduCcBbQO1YxXSU8SaGIl8x+TBmIFmPb9JQu8 root@gw-fm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN0ibOee8TvYlrEzKno5J6h3ZQs79i0wPElqYvQxAymK root@file-fm'
#extra_user:
#
# - name: borg
# user_id: 1065
# group_id: 1065
# group: borg
# home: /home/borg
# password: $y$j9T$SZty9T8ZWbnyHR2S85xaG.$GhxHOKG9fKErT9s5TAehXXyZJSkNaIcXY18Rg1iMyhC
# shell: /bin/bash
# ssh_keys:
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXrNhcgNtZykTgzcwX/L1cL8qpSyQQy75M01UpjdSmA root@file-dissens'
# - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFEm1P7Pg3Tlm02bxkropKf3CcyTCAB3YCMxPSjai2lc root@gw-dissens'
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Daily Backup "
minute: "03"
hour: "00"
job: /root/crontab/backup-rborg2/rborg2.sh
- name: "Check if postfix mailservice is running. Restart service if needed."
minute: "*/11"
hour: "*"
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if ntpsec is running. Restart service if needed."
minute: "*/7"
hour: "*"
job: /root/bin/monitoring/check_ntpsec_service.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: "*/13"
hour: "*"
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if systemd-resolved service is running. Restart service if needed."
minute: "*/17"
hour: "*"
job: /root/bin/monitoring/check_systemd_service.sh systemd-resolved
- name: "Check Postfix E-Mail LOG file for 'fatal' errors."
minute: "*/30"
hour: "*"
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Clean up Samba Trash Dirs"
minute: "02"
hour: "23"
job: /root/bin/samba/clean_samba_trash.sh
- name: "Set (group and access) Permissons for Samba shares"
minute: "14"
hour: "23"
job: /root/bin/samba/set_permissions_samba_shares.sh
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_aliases:
- name: MAIN_USER
entry: 'sysadm'
sudoers_file_cmnd_aliases:
- name: REBOOT
entry: '/sbin/reboot'
- name: MANAGE_SERVICE
entry: '/usr/bin/systemctl'
sudoers_file_user_privileges:
- name: MAIN_USER
entry: ALL = REBOOT
- name: MAIN_USER
entry: ALL = MANAGE_SERVICE
# - name: julius
# entry: 'ALL=(root) NOPASSWD: /sbin/reboot'
# - name: josephine
# entry: 'ALL=(root) NOPASSWD: /sbin/reboot'
# - name: sebastian
# entry: 'ALL=(root) NOPASSWD: /sbin/reboot'
# - name: julius-e
# entry: 'ALL=(root) NOPASSWD: /sbin/reboot'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/ntp.yml
# ---
local_ntp_service: true
ntp_server: gw-fm.fm.netz
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
nfs_server: 192.168.222.10
# Set 'fs_encrypted' to true if filesystem lives on an encrypted
# partition.
#
# NOTE !!
# Take car to increase 'fsid' in case of more than one export
#
nfs_exports:
- src: 192.168.222.10:/data/samba/shares
path: /data/samba/shares
mount_opts: users,rsize=8192,wsize=8192,hard,intr
export_opt: rw,root_squash,sync,subtree_check
export_networks:
- 192.168.222.0/24
- 10.0.222.0/24
- 10.1.222.0/24
- 192.168.63.0/24
use_fsid_option: true
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.222.10
samba_server_cidr_prefix: 24
samba_workgroup: FM
samba_netbios_name: FILE-FM
samba_server_min_protocol: !!str NT1
samba_groups:
- name: buero
group_id: 1100
- name: projekte
group_id: 1200
- name: verwaltung
group_id: 1300
samba_user:
- name: sysadm
groups:
- buero
- projekte
- verwaltung
password: 'k6-C5.X-/YGm'
- name: chris
groups:
- buero
- projekte
- verwaltung
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: agnieszka
groups:
- buero
password: '20%4gni_eszk4-25-'
- name: anja
groups:
- buero
- projekte
- verwaltung
password: '20-4nj4.m4y3r_25?'
- name: anna
groups:
- buero
- projekte
password: '20.4n.n4-25!'
- name: barbara
groups:
- buero
- projekte
- verwaltung
password: '20.b4rb4r4-25?'
- name: dominique
groups:
- buero
- projekte
- verwaltung
password: '20/do-m1-ni1que/25?'
- name: franziska
groups:
- buero
- projekte
- verwaltung
password: '20-fr4nzisk4.25%'
- name: karina
groups:
- buero
password: '20_k4-ri-n4/25.'
- name: linda
groups:
- buero
- projekte
password: '20-l1n-d4.25%'
- name: michael
groups:
- buero
password: '20.m1cha-3l/25/'
- name: stephanie
groups:
- buero
- projekte
- verwaltung
password: '20.st3pha-ni3_25%'
base_home: /data/home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
#remove_samba_users:
# - name: elenor.faellgrem
# - name: maiken.schiele
samba_shares:
- name: Buero
comment: Buero auf Fileserver
path: /data/samba/shares/Buero
group_valid_users: buero
group_write_list: buero
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Projekte
comment: Projekte auf Fileserver
path: /data/samba/shares/Projekte
group_valid_users: projekte
group_write_list: projekte
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Verwaltung
comment: Verwaltung auf Fileserver
path: /data/samba/shares/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

63
host_vars/file-km.anw-km.netz.yml
View File

@@ -279,7 +279,7 @@ samba_user:
- advoware - advoware
- alle - alle
- kanzlei - kanzlei
password: '' password: 'YKQRa.M9-6rL'
- name: aphex2 - name: aphex2
groups: groups:
@@ -385,16 +385,16 @@ samba_user:
- public - public
password: 'zHfj9g3NcC' password: 'zHfj9g3NcC'
- name: gerhard # - name: gerhard
groups: # groups:
- advoware # - advoware
- alle # - alle
- aulmann # - aulmann
- howe # - howe
- stahmann # - stahmann
- traine # - traine
- public # - public
password: 'bHdhzWnTj9' # password: 'bHdhzWnTj9'
- name: ho-st1 - name: ho-st1
groups: groups:
@@ -403,13 +403,13 @@ samba_user:
- stahmann - stahmann
password: '44-Ro-440' password: '44-Ro-440'
- name: howe-staff-1 # - name: howe-staff-1
groups: # groups:
- advoware # - advoware
- alle # - alle
- aulmann # - aulmann
- howe # - howe
password: '' # password: ''
- name: irina - name: irina
groups: groups:
@@ -433,14 +433,14 @@ samba_user:
- public - public
password: 'bV3pjPtjkR' password: 'bV3pjPtjkR'
- name: laura # - name: laura
groups: # groups:
- alle # - alle
- aulmann # - aulmann
- howe # - howe
- stahmann # - stahmann
- traine # - traine
password: '99-Hamburg-990' # password: '99-Hamburg-990'
- name: lenovo3 - name: lenovo3
groups: groups:
@@ -555,11 +555,12 @@ samba_user:
base_home: /data/home base_home: /data/home
# remove_samba_users: remove_samba_users:
# - name: name1 - name: howe-staff-1
# - name: name2 - name: gerhard
# - name: laura
remove_samba_users: []
#remove_samba_users: []
#remove_samba_users: #remove_samba_users:
# - name: evren # - name: evren

18
host_vars/formbricks-nd.oopen.de.yml
View File

@@ -137,6 +137,24 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml # vars used by roles/common/tasks/users.yml
# --- # ---
extra_user:
- name: nd-admin
user_id: 1045
group_id: 1045
group: nd-admin
password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
sudo_users:
- chris
- sysadm
- nd-admin
# --- # ---
# vars used by roles/common/tasks/users-systemfiles.yml # vars used by roles/common/tasks/users-systemfiles.yml

32
host_vars/ga-al-gw.oopen.de.yml
View File

@@ -44,6 +44,7 @@ network_interfaces:
post-up: post-up:
# - VLAN 221 (Ubiquiti UniFi Accesspoints) # - VLAN 221 (Ubiquiti UniFi Accesspoints)
- /sbin/ip link add link eth2 name eth2.221 type vlan id 221 - /sbin/ip link add link eth2 name eth2.221 type vlan id 221
- /sbin/ip link add link eth2 name eth2.231 type vlan id 231
- device: eth2:ns - device: eth2:ns
headline: eth2:ns - Alias on eth2 (Nameserver) headline: eth2:ns - Alias on eth2 (Nameserver)
@@ -81,7 +82,7 @@ network_interfaces:
- device: eth2.221 - device: eth2.221
# use only once per device (for the first device entry) # use only once per device (for the first device entry)
headline: eth2 - VLAN 221 (Ubiquiti UniFi Accesspoints) headline: eth2 - VLAN 221 (Ubiquiti UniFi Accesspoints Guest NET)
# auto & allow are only used for the first device entry # auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -99,6 +100,14 @@ network_interfaces:
mtu: mtu:
scope: scope:
- device: eth2.231
headline: eth2 - VLAN 231 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.231.15.254
netmask: 20
# additional user by dhcp method # additional user by dhcp method
# #
hostname: hostname:
@@ -175,25 +184,38 @@ network_interfaces:
# User Networks Stockhausen # User Networks Stockhausen
- /sbin/ip route add 192.168.11.0/24 via 172.16.111.254 - /sbin/ip route add 192.168.11.0/24 via 172.16.111.254
- /sbin/ip route add 192.168.78.0/24 via 172.16.111.254 - /sbin/ip route add 192.168.78.0/24 via 172.16.111.254
# User Networks Campus
#- /sbin/ip route add 192.168.72.0/24 via 172.16.111.254
#- /sbin/ip route add 192.168.73.0/24 via 172.16.111.254
# User Network Novalishaus # User Network Novalishaus
- /sbin/ip route add 192.168.81.0/24 via 172.16.111.254 - /sbin/ip route add 192.168.81.0/24 via 172.16.111.254
# User Network Georgshaus
- /sbin/ip route add 192.168.85.0/24 via 172.16.111.254
# Management Network Stockhausen # Management Network Stockhausen
- /sbin/ip route add 10.10.11.0/24 via 172.16.111.254 - /sbin/ip route add 10.10.11.0/24 via 172.16.111.254
# Depreated Management Network Stokhausen # Depreated Management Network Stokhausen
- /sbin/ip route add 10.10.9.0/24 via 172.16.111.254 - /sbin/ip route add 10.10.9.0/24 via 172.16.111.254
# IPMI Stockhausen # IPMI Stockhausen
- /sbin/ip route add 10.11.11.0/24 via 172.16.111.254 - /sbin/ip route add 10.11.11.0/24 via 172.16.111.254
# WLAN Gast Novalishaus
- /sbin/ip route add 10.21.0.0/20 via 172.16.111.254
# WLAN privat Novalishaus
- /sbin/ip route add 10.31.0.0/20 via 172.16.111.254
# Management Netork Campus
#- /sbin/ip route add 10.72.1.0/24 via 172.16.111.254
# WLan Router Stockhausen # WLan Router Stockhausen
- /sbin/ip route add 10.112.1.0/24 via 172.16.111.254 - /sbin/ip route add 10.112.1.0/24 via 172.16.111.254
# WLan Netz # WLan Netz
- /sbin/ip route add 10.113.0.0/16 via 172.16.111.254 - /sbin/ip route add 10.113.0.0/16 via 172.16.111.254
# Unifi WLan Netz Stockhausen # Unifi WLan Netz Stockhausen Gast
- /sbin/ip route add 10.121.0.0/20 via 172.16.111.254 - /sbin/ip route add 10.121.0.0/20 via 172.16.111.254
# Unifi WLan Netz Stockhausen privat
- /sbin/ip route add 10.131.0.0/20 via 172.16.111.254
# Richtfunkantennen Stockhausen (2) / Schlechtenwegen / Kirschbaumhaus # Richtfunkantennen Stockhausen (2) / Schlechtenwegen / Kirschbaumhaus
- /sbin/ip route add 10.10.111.0/24 via 172.16.111.254 - /sbin/ip route add 10.10.111.0/24 via 172.16.111.254
# VPN Netz Stockhausen - Novalishaus (Schlechtenwegen) # VPN Netz Stockhausen - Novalishaus (Schlechtenwegen)
- /sbin/ip route add 10.2.81.0/24 via 172.16.111.254 - /sbin/ip route add 10.2.81.0/24 via 172.16.111.254
# VPN Home Stockhause # VPN Home Stockhausen
- /sbin/ip route add 10.0.11.0/24 via 172.16.111.254 - /sbin/ip route add 10.0.11.0/24 via 172.16.111.254
# - FritzBoxen Stockhausen # - FritzBoxen Stockhausen
- /sbin/ip route add 172.16.11.0/24 via 172.16.111.254 - /sbin/ip route add 172.16.11.0/24 via 172.16.111.254
@@ -203,6 +225,8 @@ network_interfaces:
- /sbin/ip route add 172.16.80.0/24 via 172.16.111.254 - /sbin/ip route add 172.16.80.0/24 via 172.16.111.254
# - DigitBox Novalishaus # - DigitBox Novalishaus
- /sbin/ip route add 172.16.81.0/24 via 172.16.111.254 - /sbin/ip route add 172.16.81.0/24 via 172.16.111.254
# - FritzBox georgshaus
- /sbin/ip route add 172.16.85.0/24 via 172.16.111.254
- device: eth4 - device: eth4
@@ -405,6 +429,8 @@ bind9_gateway_acl:
- '# Nameserver Gateway Novalishaus' - '# Nameserver Gateway Novalishaus'
- 192.168.81.1 - 192.168.81.1
- 10.2.11.2 - 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle' - '# Nameserver wolle'
- 10.113.12.3 - 10.113.12.3
- '# Postfix Mailserver' - '# Postfix Mailserver'

394
host_vars/ga-campus-gw-temp.ga.netz.yml Normal file
View File

@@ -0,0 +1,394 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink DSL via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.72.1
netmask: 24
gateway: 172.16.72.254
#nameservers:
# - 192.168.81.1
# - 172.16.81.254
#search: ga.netz ga.intra
- device: eno2
headline: eno2 - Uplink Lehrer-und Schülerdatenbank (LUSD)
auto: true
family: inet
method: static
address: 192.168.100.254
netmask: 24
post-up:
# Traffic zur ehrer-und Schülerdatenbank (LUSD)
- /sbin/ip route add 10.9.131.0/24 via 192.168.100.253
- device: eno3
family: inet
method: manual
post-up:
# VLAN 10 LAN 1 Campus
- /sbin/ip link add link eno3 name eno3.10 type vlan id 10
- device: eno3:ns
headline: eno3:ns - Alias on eno3 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.72.1
netmask: 32
- device: eno3.10
headline: eno3.10 - LAN 1 Campus - network 192.168.72.0/24
auto: true
family: inet
method: static
address: 192.168.72.254
netmask: 24
pre-up:
- /sbin/ifconfig eno3 up
- device: eno4
family: inet
method: manual
post-up:
# VLAN 20 - LAN 2 Campus including UniFi Accesspoints
- /sbin/ip link add link eno4 name eno4.20 type vlan id 20
- device: eno4.20
headline: eno4.20 - LAN 2 Campus - network 192.168.73.0/24
auto: true
family: inet
method: static
address: 192.168.73.254
netmask: 24
pre-up:
- /sbin/ifconfig eno4 up
- device: eno6
headline: eno6 - Management Network Campus - network 10.72.1.0/24
auto: true
family: inet
method: static
address: 10.72.1.254
netmask: 24
- device: eno7
headline: eno7 - network 192.168.11.0/24 (LAN Stockhausen)
auto: true
family: inet
method: static
address: 192.168.11.72/24
gateway: 192.168.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- campus.netz
- campus.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- none
bind9_transfer_source: !!str "192.168.81.1"
bind9_notify_source: !!str "192.168.81.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

407
host_vars/ga-gh-gw.oopen.de.yml Normal file
View File

@@ -0,0 +1,407 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink WiDSL via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.85.1
netmask: 24
gateway: 172.16.85.254
- device: eno2
headline: eno2 - LAN
auto: true
family: inet
method: static
address: 192.168.85.254
netmask: 24
post-up:
# VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET
- /sbin/ip link add link eno2 name eno2.25 type vlan id 25
# VLAN 331 - for Ubiquiti UniFi Accesspoints private NET
- /sbin/ip link add link eno2 name eno2.35 type vlan id 35
- device: eno2.25
headline: eno2 - VLAN 25 (Ubiquiti UniFi Accesspoints Guest NET)
auto: true
family: inet
method: static
address: 10.25.15.254
netmask: 20
- device: eno2.35
headline: eno2 - VLAN 35 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.35.15.254
netmask: 20
- device: eno2:ns
headline: eno2:ns - Alias on eno2 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.85.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if Postfix Mailservice is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: "*/15"
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: "*/30"
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: "0-59/2"
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: "09"
hour: "3"
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- none
bind9_transfer_source: !!str "192.168.85.1"
bind9_notify_source: !!str "192.168.85.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

24
host_vars/ga-nh-gw.oopen.de.yml
View File

@@ -51,6 +51,28 @@ network_interfaces:
method: static method: static
address: 192.168.81.254 address: 192.168.81.254
netmask: 24 netmask: 24
post-up:
# VLAN 321 - for Ubiquiti UniFi Accesspoints Guest NET
- /sbin/ip link add link eno5 name eno5.21 type vlan id 21
# VLAN 331 - for Ubiquiti UniFi Accesspoints private NET
- /sbin/ip link add link eno5 name eno5.31 type vlan id 31
- device: eno5.21
headline: eno5 - VLAN 321 (Ubiquiti UniFi Accesspoints Guest NET)
auto: true
family: inet
method: static
address: 10.21.15.254
netmask: 20
- device: eno5.31
headline: eno5 - VLAN 331 (Ubiquiti UniFi Accesspoints private NET)
auto: true
family: inet
method: static
address: 10.31.15.254
netmask: 20
- device: eno5:ns - device: eno5:ns
@@ -341,6 +363,8 @@ bind9_gateway_acl:
- '# Nameserver Gateway Novalishaus' - '# Nameserver Gateway Novalishaus'
- 192.168.81.1 - 192.168.81.1
- 10.2.11.2 - 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle' - '# Nameserver wolle'
- 10.113.12.3 - 10.113.12.3
- '# Postfix Mailserver' - '# Postfix Mailserver'

2
host_vars/ga-st-gw-ersatz.ga.netz.yml
View File

@@ -230,6 +230,8 @@ bind9_gateway_acl:
- '# Nameserver Gateway Novalishaus' - '# Nameserver Gateway Novalishaus'
- 192.168.81.1 - 192.168.81.1
- 10.2.11.2 - 10.2.11.2
- '# Nameserver Gateway Georgshaus'
- 192.168.85.1
- '# Nameserver wolle' - '# Nameserver wolle'
- 10.113.12.3 - 10.113.12.3
- '# Postfix Mailserver' - '# Postfix Mailserver'

591
host_vars/ga-st-gw-neu.ga.netz.yml.00 Normal file
View File

@@ -0,0 +1,591 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1np0
headline: eno1np0 - Temporary LAN network
auto: true
family: inet
method: static
address: 192.168.11.18
netmask: 24
- device: enp129s0f2
headline: enp129s0f2 - Uplink static line (radio) to Altenschlirf
auto: true
family: inet
method: static
address: 172.16.111.254
netmask: 24
up:
# - For management Antennas
- /sbin/ip link add link enp129s0f2 name enp129s0f2.111 type vlan id 111
post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# -
# - Telefon Altenshlirf
- /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
# User Network Altenshlirf
- /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
# Management Network Altenschlirf
- /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
# WLan Router (Accesspoints) Altenshlirf
- /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
# # WLan Networks Altenshlirf
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network)
- /sbin/ip route add 10.231.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf
#
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# VPN 'gw-ckubu' Network Altenschlirf
#
- /sbin/ip route add 10.1.10.0/24 via 172.16.111.253
# private networks 'ckubu'
#
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
# so we route them back to that gateway..
- /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: enp129s0f2.111
headline: enp129s0f2.111 - network 10.10.111.0 (management antennas)
auto: true
family: inet
method: static
address: 10.10.111.254
netmask: 24
- device: enp1s0f0
headline: enp1s0f0 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false
family: inet
method: manual
up:
- /sbin/ip link add link enp1s0f0 name enp1s0f0.211 type vlan id 211
- device: enp1s0f0.211
headline: enp1s0f0.211 - Network Telefons Stockhausen
auto: true
family: inet
method: static
# Note:
# !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
# This LANCom Router IS NOT pngable !!
address: 172.16.211.1
netmask: 24
pre-up:
- /sbin/ifconfig enp1s0f0 up
- device: enp1s0f2
headline: enp1s0f2 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true
family: inet
method: static
address: 172.16.11.1
netmask: 24
gateway: 172.16.11.254
- device: enp1s0f3
headline: enp1s0f3 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.13.1
netmask: 24
gateway: 172.16.13.254
- device: enp1s0f1
headline: enp1s0f1 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true
family: inet
method: static
address: 172.16.12.1
netmask: 24
gateway: 172.16.12.254
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond0
headline: bond0 - LAG (Link Aggregation) on devices enp129s0f0 and enp194s0f0
auto: true
family: inet
method: static
address: 10.1.9.254
netmask: 24
bond:
slaves: enp129s0f0 enp194s0f0
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
- /sbin/ip link add link bond0 name bond0.11 type vlan id 11
# VLAN 78 for network Georgshaus 192.168.78.0/24
- /sbin/ip link add link bond0 name bond0.78 type vlan id 78
- device: bond0.11
headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
auto: true
family: inet
method: static
address: 10.10.11.254
netmask: 24
- device: bond0.78
headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
auto: true
family: inet
method: static
address: 192.168.78.254
netmask: 24
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond1
headline: bond1 - LAG (Link Aggregation) on devices enp129s0f1 and enp194s0f1 - Main Network Stockhausen
auto: true
family: inet
method: static
address: 192.168.11.254
netmask: 24
nameservers:
- 192.168.11.1
- 192.168.10.3
search: ga.netz ga.intra
bond:
slaves: enp129s0f1 enp194s0f1
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131
# Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
# Route to management network campus
- /sbin/ip route add 10.72.1.0/24 via 192.168.11.72
# Route to LAN campus
- /sbin/ip route add 192.168.72.0/24 via 192.168.11.72
# Route to WLAN campus
- /sbin/ip route add 192.168.73.0/24 via 192.168.11.72
- device: bond1.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET
auto: true
family: inet
method: static
address: 10.121.15.254
netmask: 20
- device: bond1.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET
auto: true
family: inet
method: static
address: 10.131.15.254
netmask: 20
- device: bond1:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice
auto: true
family: inet
method: static
address: 192.168.11.1
netmask: 32
- device: bond1:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
auto: true
family: inet
method: static
address: 10.10.9.254
netmask: 24
- device: bond1:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
auto: true
family: inet
method: static
address: 10.112.1.254
netmask: 24
post-up:
# - Wireless Networks routed through appropriate Accesspoints
# -
- /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
- /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
- /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
- /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
- /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
- /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
- /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
- /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
- /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
- /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
- /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
- /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
- /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
- /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
auto: true
family: inet
method: static
address: 10.11.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.10.1
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- internaldns
bind9_transfer_source: !!str "192.168.11.1"
bind9_notify_source: !!str "192.168.11.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

592
host_vars/ga-st-gw-neu.ga.netz.yml.01 Normal file
View File

@@ -0,0 +1,592 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: lan0
headline: lan0 - Temporary LAN network
auto: false
family: inet
method: static
address: 192.168.11.18
gateway: 192.168.11.254
netmask: 24
- device: lan4
headline: lan4 - Uplink static line (radio) to Altenschlirf
auto: true
family: inet
method: static
address: 172.16.111.254
netmask: 24
up:
# - For management Antennas
- /sbin/ip link add link lan4 name lan4.111 type vlan id 111
post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# -
# - Telefon Altenshlirf
- /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
# User Network Altenshlirf
- /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
# Management Network Altenschlirf
- /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
# WLan Router (Accesspoints) Altenshlirf
- /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
# # WLan Networks Altenshlirf
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network)
- /sbin/ip route add 10.231.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf
#
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# VPN 'gw-ckubu' Network Altenschlirf
#
- /sbin/ip route add 10.1.10.0/24 via 172.16.111.253
# private networks 'ckubu'
#
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
# so we route them back to that gateway..
- /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: lan4.111
headline: lan4.111 - network 10.10.111.0 (management antennas)
auto: true
family: inet
method: static
address: 10.10.111.254
netmask: 24
- device: lan6
headline: lan6 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false
family: inet
method: manual
up:
- /sbin/ip link add link lan6 name lan6.211 type vlan id 211
- device: lan6.211
headline: lan6.211 - Network Telefons Stockhausen
auto: true
family: inet
method: static
# Note:
# !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
# This LANCom Router IS NOT pngable !!
address: 172.16.211.1
netmask: 24
pre-up:
- /sbin/ifconfig lan6 up
- device: lan8
headline: lan8 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true
family: inet
method: static
address: 172.16.11.1
netmask: 24
gateway: 172.16.11.254
- device: lan9
headline: lan9 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.13.1
netmask: 24
gateway: 172.16.13.254
- device: lan7
headline: lan7 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true
family: inet
method: static
address: 172.16.12.1
netmask: 24
gateway: 172.16.12.254
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond0
headline: bond0 - LAG (Link Aggregation) on devices lan2 and lan10
auto: true
family: inet
method: static
address: 10.1.9.254
netmask: 24
bond:
slaves: lan2 lan10
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
- /sbin/ip link add link bond0 name bond0.11 type vlan id 11
# VLAN 78 for network Georgshaus 192.168.78.0/24
- /sbin/ip link add link bond0 name bond0.78 type vlan id 78
- device: bond0.11
headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
auto: true
family: inet
method: static
address: 10.10.11.254
netmask: 24
- device: bond0.78
headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
auto: true
family: inet
method: static
address: 192.168.78.254
netmask: 24
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond1
headline: bond1 - LAG (Link Aggregation) on devices lan3 and lan11 - Main Network Stockhausen
auto: true
family: inet
method: static
address: 192.168.11.254
netmask: 24
nameservers:
- 192.168.11.1
- 192.168.10.3
search: ga.netz ga.intra
bond:
slaves: lan3 lan11
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131
# Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
# Route to management network campus
- /sbin/ip route add 10.72.1.0/24 via 192.168.11.72
# Route to LAN campus
- /sbin/ip route add 192.168.72.0/24 via 192.168.11.72
# Route to WLAN campus
- /sbin/ip route add 192.168.73.0/24 via 192.168.11.72
- device: bond1.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET
auto: true
family: inet
method: static
address: 10.121.15.254
netmask: 20
- device: bond1.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET
auto: true
family: inet
method: static
address: 10.131.15.254
netmask: 20
- device: bond1:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice
auto: true
family: inet
method: static
address: 192.168.11.1
netmask: 32
- device: bond1:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
auto: true
family: inet
method: static
address: 10.10.9.254
netmask: 24
- device: bond1:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
auto: true
family: inet
method: static
address: 10.112.1.254
netmask: 24
post-up:
# - Wireless Networks routed through appropriate Accesspoints
# -
- /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
- /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
- /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
- /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
- /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
- /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
- /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
- /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
- /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
- /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
- /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
- /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
- /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
- /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
auto: true
family: inet
method: static
address: 10.11.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.10.1
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- internaldns
bind9_transfer_source: !!str "192.168.11.1"
bind9_notify_source: !!str "192.168.11.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

118
host_vars/ga-st-gw.ga.netz.yml
View File

@@ -20,8 +20,17 @@ network_interface_required_packages:
network_interfaces: network_interfaces:
- device: eth2 - device: lan0
headline: eth2 - Uplink static line (radio) to Altenschlirf headline: lan0 - Temporary LAN network
auto: false
family: inet
method: static
address: 192.168.11.18
#gateway: 192.168.11.254
netmask: 24
- device: lan4
headline: lan4 - Uplink static line (radio) to Altenschlirf
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -29,7 +38,7 @@ network_interfaces:
netmask: 24 netmask: 24
up: up:
# - For management Antennas # - For management Antennas
- /sbin/ip link add link eth2 name eth2.111 type vlan id 111 - /sbin/ip link add link lan4 name lan4.111 type vlan id 111
post-up: post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253) # - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# - # -
@@ -45,11 +54,16 @@ network_interfaces:
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253 - /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf # DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253 - /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf (Unifi routet Network) # - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253 - /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network)
- /sbin/ip route add 10.231.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf # VPN home Network Altenschlirf
# #
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253 - /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# VPN 'gw-ckubu' Network Altenschlirf
#
- /sbin/ip route add 10.1.10.0/24 via 172.16.111.253
# private networks 'ckubu' # private networks 'ckubu'
# #
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu), # connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
@@ -58,8 +72,8 @@ network_interfaces:
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253 - /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: eth2.111 - device: lan4.111
headline: eth2.111 - network 10.10.111.0 (management antennas) headline: lan4.111 - network 10.10.111.0 (management antennas)
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -67,17 +81,17 @@ network_interfaces:
netmask: 24 netmask: 24
- device: eth8 - device: lan6
headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen headline: lan6 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false auto: false
family: inet family: inet
method: manual method: manual
up: up:
- /sbin/ip link add link eth8 name eth8.211 type vlan id 211 - /sbin/ip link add link lan6 name lan6.211 type vlan id 211
- device: eth8.211 - device: lan6.211
headline: eth8.211 - Network Telefons Stockhausen headline: lan6.211 - Network Telefons Stockhausen
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -87,11 +101,11 @@ network_interfaces:
address: 172.16.211.1 address: 172.16.211.1
netmask: 24 netmask: 24
pre-up: pre-up:
- /sbin/ifconfig eth8 up - /sbin/ifconfig lan6 up
- device: eth9 - device: lan8
headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501) headline: lan8 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -100,8 +114,8 @@ network_interfaces:
gateway: 172.16.11.254 gateway: 172.16.11.254
- device: eth10 - device: lan9
headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490 headline: lan9 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -110,8 +124,8 @@ network_interfaces:
gateway: 172.16.13.254 gateway: 172.16.13.254
- device: eth11 - device: lan7
headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver) headline: lan7 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -126,14 +140,14 @@ network_interfaces:
# apt-get install ifenslave # apt-get install ifenslave
# ---------- # ----------
- device: bond0 - device: bond0
headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4 headline: bond0 - LAG (Link Aggregation) on devices lan2 and lan10
auto: true auto: true
family: inet family: inet
method: static method: static
address: 10.1.9.254 address: 10.1.9.254
netmask: 24 netmask: 24
bond: bond:
slaves: eth0 eth4 slaves: lan2 lan10
# Mode 4 (802.3ad) # Mode 4 (802.3ad)
# #
# also possible here: # also possible here:
@@ -175,8 +189,8 @@ network_interfaces:
# #
# apt-get install ifenslave # apt-get install ifenslave
# ---------- # ----------
- device: bond1 - device: sfp0
headline: bond1 - LAG (Link Aggregation) on devices eth1 and eth5 - Main Network Stockhausen headline: sfp0 - Main Network Stockhausen
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -186,30 +200,36 @@ network_interfaces:
- 192.168.11.1 - 192.168.11.1
- 192.168.10.3 - 192.168.10.3
search: ga.netz ga.intra search: ga.netz ga.intra
bond: #bond:
slaves: eth1 eth5 # slaves: lan3 lan11
# Mode 4 (802.3ad) # # Mode 4 (802.3ad)
# # #
# also possible here: # # also possible here:
# - Mode 5: balance-tlb # # - Mode 5: balance-tlb
# - Mode 6: balance-alb # # - Mode 6: balance-alb
mode: 4 # mode: 4
miimon: 100 # miimon: 100
lacp-rate: 1 # lacp-rate: 1
ad-select: count # ad-select: count
downdelay: 200 # downdelay: 200
updelay: 200 # updelay: 200
post-up: post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints # VLAN 121 - for Ubiquiti UniFi Accesspoints
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121 - /sbin/ip link add link sfp0 name sfp0.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests # VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131 - /sbin/ip link add link sfp0 name sfp0.131 type vlan id 131
# Route ??? # Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6 - /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
# Route to management network campus
- /sbin/ip route add 10.72.1.0/24 via 192.168.11.72
# Route to LAN campus
- /sbin/ip route add 192.168.72.0/24 via 192.168.11.72
# Route to WLAN campus
- /sbin/ip route add 192.168.73.0/24 via 192.168.11.72
- device: bond1.121 - device: sfp0.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints headline: sfp0.121 - VLAN 121 on interface sfp0 for Ubiquiti UniFi Accesspoints Guest NET
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -217,8 +237,8 @@ network_interfaces:
netmask: 20 netmask: 20
- device: bond1.131 - device: sfp0.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints Guest Net headline: sfp0.131 - VLAN 131 on interface sfp0 for Ubiquiti UniFi Accesspoints private NET
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -226,8 +246,8 @@ network_interfaces:
netmask: 20 netmask: 20
- device: bond1:ns - device: sfp0:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice headline: sfp0:ns - Alias IP on sfp0 device for Nameservice
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -235,8 +255,8 @@ network_interfaces:
netmask: 32 netmask: 32
- device: bond1:1 - device: sfp0:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network headline: sfp0:1 - Alias IP on sfp0 device for (depricated) Management Network
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -244,8 +264,8 @@ network_interfaces:
netmask: 24 netmask: 24
- device: bond1:ap - device: sfp0:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints headline: sfp0:ap - Alias IP on sfp0 device for Network Accesspoints
auto: true auto: true
family: inet family: inet
method: static method: static
@@ -271,8 +291,8 @@ network_interfaces:
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15 - /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi - device: sfp0:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen headline: sfp0:ipmi - Alias IP on sfp0 for IPMI Addresses Servr Stockhausen
auto: true auto: true
family: inet family: inet
method: static method: static

583
host_vars/ga-st-gw.ga.netz.yml.00 Normal file
View File

@@ -0,0 +1,583 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eth2
headline: eth2 - Uplink static line (radio) to Altenschlirf
auto: true
family: inet
method: static
address: 172.16.111.254
netmask: 24
up:
# - For management Antennas
- /sbin/ip link add link eth2 name eth2.111 type vlan id 111
post-up:
# - Static routes to Altenschlirf (Router Ip-Address Altenschlirf: 172.16.111.253)
# -
# - Telefon Altenshlirf
- /sbin/ip route add 172.16.210.0/24 via 172.16.111.253
# User Network Altenshlirf
- /sbin/ip route add 192.168.10.0/24 via 172.16.111.253
# Management Network Altenschlirf
- /sbin/ip route add 10.10.10.0/24 via 172.16.111.253
# WLan Router (Accesspoints) Altenshlirf
- /sbin/ip route add 10.122.1.0/24 via 172.16.111.253
# # WLan Networks Altenshlirf
- /sbin/ip route add 10.123.0.0/16 via 172.16.111.253
# DSL via Fritzbox Altenschlirf
- /sbin/ip route add 172.16.10.0/24 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf guest NET (Unifi routet Network)
- /sbin/ip route add 10.221.0.0/20 via 172.16.111.253
# - WLAN Gemeinschaft Altenschlirf private NET (Unifi routet Network)
- /sbin/ip route add 10.231.0.0/20 via 172.16.111.253
# VPN home Network Altenschlirf
#
- /sbin/ip route add 10.0.10.0/24 via 172.16.111.253
# VPN 'gw-ckubu' Network Altenschlirf
#
- /sbin/ip route add 10.1.10.0/24 via 172.16.111.253
# private networks 'ckubu'
#
# connections from private ckubu networks ist routed through VPN Altenschlirf (gw-ckubu),
# so we route them back to that gateway..
- /sbin/ip route add 192.168.63.0/24 via 172.16.111.253
- /sbin/ip route add 192.168.64.0/24 via 172.16.111.253
- device: eth2.111
headline: eth2.111 - network 10.10.111.0 (management antennas)
auto: true
family: inet
method: static
address: 10.10.111.254
netmask: 24
- device: eth8
headline: eth8 - holds VLAN 211 device for Network Telefons Stockhausen
auto: false
family: inet
method: manual
up:
- /sbin/ip link add link eth8 name eth8.211 type vlan id 211
- device: eth8.211
headline: eth8.211 - Network Telefons Stockhausen
auto: true
family: inet
method: static
# Note:
# !! 172.16.211.254 is reserved for LANCom Router (DSL line teleefon).
# This LANCom Router IS NOT pngable !!
address: 172.16.211.1
netmask: 24
pre-up:
- /sbin/ifconfig eth8 up
- device: eth9
headline: eth9 - Uplink DSL surf2 via (static) line to Fritz!Box 7490 (formaly Zyxel 6501)
auto: true
family: inet
method: static
address: 172.16.11.1
netmask: 24
gateway: 172.16.11.254
- device: eth10
headline: eth10 - Uplink DSL surf3 via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.13.1
netmask: 24
gateway: 172.16.13.254
- device: eth11
headline: eth11 - Uplink DSL surf1 via (static) line to Fritz!Box 7490 (Mailserver)
auto: true
family: inet
method: static
address: 172.16.12.1
netmask: 24
gateway: 172.16.12.254
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond0
headline: bond0 - LAG (Link Aggregation) on devices eth0 and eth4
auto: true
family: inet
method: static
address: 10.1.9.254
netmask: 24
bond:
slaves: eth0 eth4
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 11 for management network Stockhausen/Schloss 10.10.11.0/24
- /sbin/ip link add link bond0 name bond0.11 type vlan id 11
# VLAN 78 for network Georgshaus 192.168.78.0/24
- /sbin/ip link add link bond0 name bond0.78 type vlan id 78
- device: bond0.11
headline: bond0.11 - VLAN 11 on interface bond0 (Management Network Stockhausen)
auto: true
family: inet
method: static
address: 10.10.11.254
netmask: 24
- device: bond0.78
headline: bond0.78 - VLAN 78 on interface bond0 (Georgshaus ?)
auto: true
family: inet
method: static
address: 192.168.78.254
netmask: 24
# ----------
# Note: Install the 'ifenslave' package, necessary to enable bonding:
#
# apt-get install ifenslave
# ----------
- device: bond1
headline: bond1 - LAG (Link Aggregation) on devices eth3 and eth5 - Main Network Stockhausen
auto: true
family: inet
method: static
address: 192.168.11.254
netmask: 24
nameservers:
- 192.168.11.1
- 192.168.10.3
search: ga.netz ga.intra
bond:
slaves: eth3 eth5
# Mode 4 (802.3ad)
#
# also possible here:
# - Mode 5: balance-tlb
# - Mode 6: balance-alb
mode: 4
miimon: 100
lacp-rate: 1
ad-select: count
downdelay: 200
updelay: 200
post-up:
# VLAN 121 - for Ubiquiti UniFi Accesspoints
- /sbin/ip link add link bond1 name bond1.121 type vlan id 121
# VLAN 121 - for Ubiquiti UniFi Accesspoints Guests
- /sbin/ip link add link bond1 name bond1.131 type vlan id 131
# Route ???
- /sbin/ip route add 10.11.16.0/24 via 192.168.11.6
# Route to management network campus
- /sbin/ip route add 10.72.1.0/24 via 192.168.11.72
# Route to LAN campus
- /sbin/ip route add 192.168.72.0/24 via 192.168.11.72
# Route to WLAN campus
- /sbin/ip route add 192.168.73.0/24 via 192.168.11.72
- device: bond1.121
headline: bond1.121 - VLAN 121 on interface bond1 for Ubiquiti UniFi Accesspoints Guest NET
auto: true
family: inet
method: static
address: 10.121.15.254
netmask: 20
- device: bond1.131
headline: bond1.131 - VLAN 131 on interface bond1 for Ubiquiti UniFi Accesspoints private NET
auto: true
family: inet
method: static
address: 10.131.15.254
netmask: 20
- device: bond1:ns
headline: bond1:ns - Alias IP on bond1 device for Nameservice
auto: true
family: inet
method: static
address: 192.168.11.1
netmask: 32
- device: bond1:1
headline: bond1:1 - Alias IP on bond1 device for (depricated) Management Network
auto: true
family: inet
method: static
address: 10.10.9.254
netmask: 24
- device: bond1:ap
headline: bond1:ap - Alias IP on bond1 device for Network Accesspoints
auto: true
family: inet
method: static
address: 10.112.1.254
netmask: 24
post-up:
# - Wireless Networks routed through appropriate Accesspoints
# -
- /sbin/ip route add 10.113.1.0/24 via 10.112.1.1
- /sbin/ip route add 10.113.2.0/24 via 10.112.1.2
- /sbin/ip route add 10.113.3.0/24 via 10.112.1.3
- /sbin/ip route add 10.113.4.0/24 via 10.112.1.4
- /sbin/ip route add 10.113.5.0/24 via 10.112.1.5
- /sbin/ip route add 10.113.6.0/24 via 10.112.1.6
- /sbin/ip route add 10.113.7.0/24 via 10.112.1.7
- /sbin/ip route add 10.113.8.0/24 via 10.112.1.8
- /sbin/ip route add 10.113.9.0/24 via 10.112.1.9
- /sbin/ip route add 10.113.10.0/24 via 10.112.1.10
- /sbin/ip route add 10.113.11.0/24 via 10.112.1.11
- /sbin/ip route add 10.113.12.0/24 via 10.112.1.12
- /sbin/ip route add 10.113.13.0/24 via 10.112.1.13
- /sbin/ip route add 10.113.14.0/24 via 10.112.1.14
- /sbin/ip route add 10.113.15.0/24 via 10.112.1.15
- device: bond1:ipmi
headline: bond1:ipmi - Alias IP on bond1 for IPMI Addresses Servr Stockhausen
auto: true
family: inet
method: static
address: 10.11.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.10.1
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- internaldns
bind9_transfer_source: !!str "192.168.11.1"
bind9_notify_source: !!str "192.168.11.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

215
host_vars/ga-st-mm.ga.netz.yml Normal file
View File

@@ -0,0 +1,215 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
install_compiler_pkgs: true
install_postgresql_pkgs: true
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.11.1
- 192.168.10.3
- 192.168.10.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- ga.netz
- ga.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 192.168.11.3
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_root_ssh_keypair: true
root_ssh_keypair:
- name: id-rsa-dehydrated
priv_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated
priv_key_dest: /root/.ssh/id_rsa-dehydrated
pub_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-dehydrated.pub
pub_key_dest: /root/.ssh/id_rsa-dehydrated.pub
- name: id-rsa-opendkim
priv_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim
priv_key_dest: /root/.ssh/id_rsa-opendkim
pub_key_src: ga-st-mail/root/.ssh/ga-st-mail-id_rsa-opendkim.pub
pub_key_dest: /root/.ssh/id_rsa-opendkim.pub
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/copy_files.yml
# ---
# ---
# vars used by roles/common/tasks/config_files_mailsystem_scripts.yml
# ---

16
host_vars/gw-akb.oopen.de.yml
View File

@@ -26,14 +26,14 @@ copy_additional_plain_files_sysctl:
# vars used by roles/common/tasks/sshd.yml # vars used by roles/common/tasks/sshd.yml
# --- # ---
sshd_hostkeyalgorithms: #sshd_hostkeyalgorithms:
- ssh-ed25519 # - ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com # - ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256 # - rsa-sha2-256
- rsa-sha2-512 # - rsa-sha2-512
- ecdsa-sha2-nistp256 # - ecdsa-sha2-nistp256
- rsa-sha2-256-cert-v01@openssh.com # - rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com # - rsa-sha2-512-cert-v01@openssh.com
# --- # ---

394
host_vars/gw-campus.oopen.de.yml Normal file
View File

@@ -0,0 +1,394 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink DSL via (static) line to Fritz!Box 7490
auto: true
family: inet
method: static
address: 172.16.72.1
netmask: 24
gateway: 172.16.72.254
#nameservers:
# - 192.168.81.1
# - 172.16.81.254
#search: ga.netz ga.intra
- device: eno2
headline: eno2 - Uplink Lehrer-und Schülerdatenbank (LUSD)
auto: true
family: inet
method: static
address: 192.168.100.254
netmask: 24
post-up:
# Traffic zur ehrer-und Schülerdatenbank (LUSD)
- /sbin/ip route add 10.9.131.0/24 via 192.168.100.253
- device: eno3
family: inet
method: manual
post-up:
# VLAN 10 LAN 1 Campus
- /sbin/ip link add link eno3 name eno3.10 type vlan id 10
- device: eno3:ns
headline: eno3:ns - Alias on eno3 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.72.1
netmask: 32
- device: eno3.10
headline: eno3.10 - LAN 1 Campus - network 192.168.72.0/24
auto: true
family: inet
method: static
address: 192.168.72.254
netmask: 24
pre-up:
- /sbin/ifconfig eno3 up
- device: eno4
family: inet
method: manual
post-up:
# VLAN 20 - LAN 2 Campus including UniFi Accesspoints
- /sbin/ip link add link eno4 name eno4.20 type vlan id 20
- device: eno4.20
headline: eno4.20 - LAN 2 Campus - network 192.168.73.0/24
auto: true
family: inet
method: static
address: 192.168.73.254
netmask: 24
pre-up:
- /sbin/ifconfig eno4 up
- device: eno6
headline: eno6 - Management Network Campus - network 10.72.1.0/24
auto: true
family: inet
method: static
address: 10.72.1.254
netmask: 24
- device: eno7
headline: eno7 - network 192.168.11.0/24 (LAN Stockhausen)
auto: true
family: inet
method: static
address: 192.168.11.72
#gateway: 192.168.11.254
netmask: 24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/cron.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- campus.netz
- campus.intra
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
default_user:
- name: chris
password: $y$j9T$rDrvWa/KInzTe601YYf9./$WjDlaItCrgX7gu4nCs481y8WLxiRaNJCC/MgFgKuzg3
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: maadmin
password: $y$j9T$LCkYWvykWzrpFxIlmSUB01$e1ROfZxXAU53UdAwZAECzED4iV4LS02Q4IPQ2fycv51
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- name: wadmin
password: $6$sLWIXKTW$i/STlSS0LijkrnGR/XMbaxJsEbrRdDYgqyCqIr.muLN5towes8yHDCXsyCYDjuaBNKPHXyFpr8lclg5DOm9OF1
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$awYUu9oRvV39ojITZOC7D1$czTh5HHIE32PXb0vl40ayAarm39txR4jaH1QzBscqfC
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHCQRRXy0+9D+mhLniRlUpZZ3kZdZcQKXBsGnlsFYaRi maadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF5GDIFA6/i6lzkr+EP/EZM9glrK0eSR0nmrEFgUJ4n8 wadmin@ga-st-lsx1'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID17MN6fUg0D1dMSgVYIBpIy+sDBBmiaHmXRXU63TXJA wadmin@ga-st-li1303'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtK8/rxHL1MKX5AHrgAzUYu0kV+1iYCmknpTQ7F0ham wadmin@wolf-debtest'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcaDFxj0pYjOv/ohFVxVY2RKvy6ACZFPX9UkrUPHkbN wadmin@wolf-x1'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$wpg8hlvMpO4PAWSVdLoJq/$dgpQh4cEnbUOQkkZzKUM4S8XzNS/Md5gMmMuNTqec74
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
sudo_users:
- chris
- sysadm
- maadmin
- wadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
- internaldns:
name: internaldns
entries:
- '# Nameserver Gateway Stockhausen'
- 192.168.11.1
- '# Domain Controller Stockhausen'
- 192.168.10.3
- '# Nameserver Gateway Altenschlirf'
- 192.168.10.1
- '# Domain Controller Altenschlirf'
- 192.168.10.3
- 192.168.10.6
- 172.16.0.1
- '# Nameserver Gateway Novalishaus'
- 192.168.81.1
- 10.2.11.2
- '# Nameserver wolle'
- 10.113.12.3
- '# Postfix Mailserver'
- 192.168.11.2
- '# Mail Relay System'
- 192.168.10.2
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_gateway_allow_transfer:
- none
bind9_transfer_source: !!str "192.168.81.1"
bind9_notify_source: !!str "192.168.81.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

47
host_vars/gw-dissens.oopen.de.yml
View File

@@ -82,6 +82,53 @@ sshd_hostkeyalgorithms:
# --- # ---
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: localadmin
home: /home/localadmin
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
# --- # ---
# vars used by roles/common/tasks/systemd-resolved.yml # vars used by roles/common/tasks/systemd-resolved.yml
# --- # ---

303
host_vars/gw-fm.oopen.de.yml Normal file
View File

@@ -0,0 +1,303 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
headline: eno1 - Uplink DSL via Fritz!Box
auto: true
family: inet
method: static
address: 172.16.222.1
netmask: 24
gateway: 172.16.222.254
- device: eno2
headline: eno2 - LAN
auto: true
family: inet
method: static
address: 192.168.222.254
netmask: 24
post-up:
# VLAN 13 Guest Net
- /sbin/ip link add link eno2 name eno2.13 type vlan id 13
- device: eno2:ns
headline: eno2:ns - Alias on eno2 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.222.1
netmask: 32
- device: eno2.13
headline: eno2.13 - Guest Network
auto: true
family: inet
method: static
address: 192.168.223.254
netmask: 24
- device: eno2.13:ns
headline: eno2.13:ns - alias on eno2.13 (Guest Network)
auto: true
family: inet
method: static
address: 192.168.223.1
netmask: 32
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_hostkeyalgorithms:
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-512
- ecdsa-sha2-nistp256
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- fm.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 172.16.222.254
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/30'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/2'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
# - name: "Speedtest"
# minute: '17'
# hour: '*0-8'
# job: /root/bin/admin-stuff/speedtest.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh FM
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

225
host_vars/keycloak-nd.oopen.de.yml Normal file
View File

@@ -0,0 +1,225 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
cron_user_entries:
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if cert for Keycloak service is up-to-date"
minute: '51'
hour: '05'
job: /root/bin/monitoring/check_cert_for_keycloak.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: nd-admin
user_id: 1045
group_id: 1045
group: nd-admin
password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
sudo_users:
- chris
- sysadm
- nd-admin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

64
host_vars/mm-irights.oopen.de.yml
View File

@@ -75,12 +75,10 @@ systemd_resolved: true
# Servername für DNS-over-TLS: dot.ffmuc.net # Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb) # für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver: resolved_nameserver:
- 213.133.98.98 - 185.12.64.2
- 2a01:4f8:0:1::add:9999 - 2a01:4ff:ff00::add:1
- 213.133.99.99 - 185.12.64.1
- 2a01:4f8:0:a111::add:9898 - 2a01:4ff:ff00::add:2
- 213.133.100.100
- 2a01:4f8:0:a0a1::add:1010
# search domains # search domains
# #
@@ -100,6 +98,60 @@ resolved_fallback_nameserver:
- 194.150.168.168 - 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
cron_user_entries:
- name: "Check if mattermost service ist running - Restart Service if needed."
minute: '*/6'
hour: '*'
job: /root/bin/monitoring/check_local_mattermost_service.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '01'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# --- # ---
# vars used by roles/common/tasks/users.yml # vars used by roles/common/tasks/users.yml
# --- # ---

7
host_vars/mm-rav.oopen.de.yml
View File

@@ -123,11 +123,16 @@ cron_user_special_time_entries:
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1" job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH insertafter: PATH
- name: "Check if mattermost service is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_local_mattermost_service.sh > /dev/null 2>&1"
insertafter: PATH
cron_user_entries: cron_user_entries:
- name: "Check if mattermost service ist running - Restart Service if needed." - name: "Check if mattermost service ist running - Restart Service if needed."
minute: '*/6' minute: '*/16'
hour: '*' hour: '*'
job: /root/bin/monitoring/check_local_mattermost_service.sh job: /root/bin/monitoring/check_local_mattermost_service.sh

5
host_vars/o12.oopen.de.yml
View File

@@ -273,6 +273,11 @@ cron_user_entries:
hour: '*' hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1 job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
- name: "Check if all autostart LX-Container are running.?"
minute: '*/10'
hour: '*'
job: /root/bin/LXC/boot-autostart-lx-container.sh
# --- # ---

286
host_vars/o17.oopen.de.yml
View File

@@ -63,8 +63,6 @@ network_interfaces:
# search: warenform.de # search: warenform.de
# #
nameservers: nameservers:
- 195.201.179.131
- 95.217.204.204
search: oopen.de warenform.de search: oopen.de warenform.de
# optional additional subnets/ips subnets: [] # optional additional subnets/ips subnets: []
@@ -105,6 +103,13 @@ network_interfaces:
vlan: {} vlan: {}
# inline hook scripts # inline hook scripts
#
# example:
#
# up:
# - !!str "ip addr add 83.223.86.115/24 dev br0"
# - !!str "ip route add default via 83.223.86.1"
#
pre-up: [] # pre-up script lines pre-up: [] # pre-up script lines
up: up:
- !!str "ip addr add 83.223.85.203/24 dev br0" - !!str "ip addr add 83.223.85.203/24 dev br0"
@@ -113,6 +118,7 @@ network_interfaces:
pre-down: [] # pre-down script lines (alias for down) pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines down: [] # down script lines
post-down: [] # post-down script lines post-down: [] # post-down script lines
# --- # ---
# vars used by roles/ansible_dependencies # vars used by roles/ansible_dependencies
@@ -139,6 +145,76 @@ network_interfaces:
# --- # ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 195.201.179.131
- 95.217.204.204
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# --- # ---
# vars used by roles/common/tasks/cron.yml # vars used by roles/common/tasks/cron.yml
# --- # ---
@@ -156,7 +232,7 @@ cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'" - name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved" job: "sleep 5 ; /bin/systemctl restart systemd-resolved > /dev/null 2>&1"
insertafter: PATH insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed." - name: "Check if postfix mailservice is running. Restart service if needed."
@@ -250,210 +326,6 @@ git_firewall_repository:
# vars used by roles/common/tasks/samba-user.yml # vars used by roles/common/tasks/samba-user.yml
# --- # ---
samba_server_ip: 83.223.85.203
samba_server_cidr_prefix: 24
samba_workgroup: AH
samba_netbios_name: FILE-AH
samba_groups:
- name: verwaltung
group_id: 1200
- name: intern
group_id: 1210
- name: hoffmann-elberling
group_id: 1220
- name: gubitz-partner
group_id: 1230
samba_user:
- name: buero
groups:
- verwaltung
- intern
password: 'buero2011'
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: gubitz
groups:
- intern
- verwaltung
- gubitz-partner
password: '20gubitz12'
- name: schaar
groups:
- intern
- verwaltung
- gubitz-partner
password: '20schaar12'
- name: molkentin
groups:
- intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: buerooben
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: buchholz
groups:
- buero
- intern
- verwaltung
password: '20-buch_holz-20'
- name: schmidt
groups:
- intern
- verwaltung
- gubitz-partner
password: '20-schmidt_21%'
- name: kiel-nb1
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book1-20'
- name: kiel-nb2
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book2-20'
- name: chris
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
samba_shares:
- name: profiles-RDP
comment: Users profiles RDP
path: /data/samba/profiles-RDP
guest_ok: !!str no
browseable: !!str no
valid_users: '%S'
file_create_mask: !!str 600
dir_create_mask: !!str 700
- name: Buero
path: /data/samba/shares/Buero
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Verwaltung
path: /data/samba/shares/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: recycle
- name: Scans_schnell
path: /data/samba/shares/Scans_schnell
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Hoffmann-Elberling
path: /data/samba/shares/Hoffmann-Elberling
group_valid_users: hoffmann-elberling
group_write_list: hoffmann-elberling
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Gubitz-Partner
path: /data/samba/shares/Gubitz-Partner
group_valid_users: gubitz-partner
group_write_list: gubitz-partner
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: recycle
- name: Gubitz-Backup
path: /data/samba/shares/Gubitz-Backup
group_valid_users: gubitz
group_write_list: gubitz
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: recycle
- name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup
group_valid_users: {}
group_write_list: {}
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: true
recycle_path: {}
- name: Advoware-Backup
comment: Advoware-Backup (only read) on Fileserver
path: /data/samba/shares/Advoware-Backup
group_valid_users: back
group_write_list: back
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: true
# ============================== # ==============================

14
host_vars/o23.oopen.de.yml
View File

@@ -24,7 +24,7 @@ network_interfaces:
- device: br0 - device: br0
# use only once per device (for the first device entry) # use only once per device (for the first device entry)
headline: br0 - bridge over device enp6s0 headline: br0 - bridge over device enp27s0
# auto & allow are only used for the first device entry # auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -32,7 +32,7 @@ network_interfaces:
family: inet family: inet
method: static method: static
hwaddress: 88:d7:f6:7d:e6:ef hwaddress: 30:9c:23:63:40:b5
description: description:
address: 159.69.74.150 address: 159.69.74.150
netmask: 26 netmask: 26
@@ -63,10 +63,10 @@ network_interfaces:
# - 91.239.100.100 # anycast.censurfridns.dk # - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de # search: warenform.de
# #
nameservers: #nameservers:
- 195.201.179.131 # - 195.201.179.131
- 95.217.204.204 # - 95.217.204.204
search: #search:
# optional additional subnets/ips subnets: [] # optional additional subnets/ips subnets: []
# subnets: # subnets:
@@ -81,7 +81,7 @@ network_interfaces:
# maxwait: # maxwait:
# waitport: # waitport:
bridge: bridge:
ports: enp6s0 # for mor devices support a blank separated list ports: enp27s0 # for mor devices support a blank separated list
stp: !!str off stp: !!str off
fd: 5 fd: 5
hello: 2 hello: 2

2
host_vars/o34.oopen.de.yml
View File

@@ -345,6 +345,8 @@ cron_user_entries:
sudoers_file_user_privileges: sudoers_file_user_privileges:
- name: back - name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php' entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
- name: www-data
entry: 'ALL=(root) NOPASSWD: /root/bin/nextcloud/add-new-account.sh'
# --- # ---

6
host_vars/o40.oopen.de.yml
View File

@@ -24,7 +24,7 @@ network_interfaces:
- device: br0 - device: br0
# use only once per device (for the first device entry) # use only once per device (for the first device entry)
headline: br0 - bridge over device enp5s0 headline: br0 - bridge over device enp6s0
# auto & allow are only used for the first device entry # auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -32,7 +32,7 @@ network_interfaces:
family: inet family: inet
method: static method: static
hwaddress: 9c:6b:00:0b:fe:2f hwaddress: 9c:6b:00:08:9a:30
description: description:
address: 176.9.125.12 address: 176.9.125.12
netmask: 27 netmask: 27
@@ -76,7 +76,7 @@ network_interfaces:
# maxwait: # maxwait:
# waitport: # waitport:
bridge: bridge:
ports: enp5s0 # for mor devices support a blank separated list ports: enp6s0 # for mor devices support a blank separated list
stp: !!str off stp: !!str off
fd: 5 fd: 5
hello: 2 hello: 2

96
host_vars/o43.oopen.de.yml
View File

@@ -32,7 +32,7 @@ network_interfaces:
family: inet family: inet
method: static method: static
hwaddress: 9c:6b:00:51:bf:54 hwaddress: 9c:6b:00:2b:fe:4f
description: description:
address: 176.9.62.77 address: 176.9.62.77
netmask: 27 netmask: 27
@@ -119,6 +119,98 @@ network_interfaces:
gateway: 'fe80::1' gateway: 'fe80::1'
- device: br1
# use only once per device (for the first device entry)
headline: br1 - bridge over device enp6s0.4001
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 9c:6b:00:2b:fe:50
description:
address: 172.20.1.10
netmask: 24
gateway:
metric:
pointopoint:
mtu:
scope:
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
# ** MOVED TO systemd-resolved
#
nameservers:
search:
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp6s0.4001 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# method:
# miimon:
# lacp-rate:
# ad-select-rate:
# master:
# slaves:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
#pre-up: [] # pre-up script lines
pre-up:
- /sbin/ip link add link enp6s0 name enp6s0.4001 type vlan id 4001
- /sbin/ip link set enp6s0.4001 mtu 1400
up: [] # up script lines
#post-up: [] # post-up script lines (alias for up)
post-up: # post-up script lines (alias for up)
- /sbin/ip route add 172.20.0.0/21 via 172.20.1.1
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# --- # ---
# vars used by roles/ansible_dependencies # vars used by roles/ansible_dependencies
# --- # ---
@@ -249,7 +341,7 @@ cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'" - name: "Restart NTP service 'ntpsec'"
special_time: reboot special_time: reboot
job: "sleep 2 ; /bin/systemctl restart ntpsec" job: "sleep 2 ; /bin/systemctl restart ntpsec > /dev/null 2>&1"
insertafter: PATH insertafter: PATH

18
host_vars/prometheus-nd.oopen.de.yml
View File

@@ -147,6 +147,24 @@ cron_user_entries:
# vars used by roles/common/tasks/users.yml # vars used by roles/common/tasks/users.yml
# --- # ---
extra_user:
- name: nd-admin
user_id: 1045
group_id: 1045
group: nd-admin
password: $y$j9T$1YJwHY0qdLimgtdOKlTxR1$/O9QWTpr0Y41TduR2GZ0FMCiIxFqOaXWSM9hmHRnv80
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKTjd4XFBdF/V9VdSZjy9G7nupBwaMqsrtQSP4Uctkrz org@rdsgn.de'
sudo_users:
- chris
- sysadm
- nd-admin
# --- # ---
# vars used by roles/common/tasks/users-systemfiles.yml # vars used by roles/common/tasks/users-systemfiles.yml

5
host_vars/server28.warenform.de.yml
View File

@@ -235,11 +235,6 @@ cron_env_entries:
cron_user_special_time_entries: cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 2 ; /bin/systemctl restart ntpsec"
insertafter: PATH
- name: "Restart DNS Cache service 'systemd-resolved'" - name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved" job: "sleep 5 ; /bin/systemctl restart systemd-resolved"

34
host_vars/zapata.opp.netz.yml
View File

@@ -161,6 +161,20 @@ cron_user_special_time_entries:
# vars used by roles/common/tasks/users.yml # vars used by roles/common/tasks/users.yml
# --- # ---
extra_user:
- name: caracola
user_id: 1075
group_id: 1075
group: carola
# hS-a-6UC5.spCgNS
password: $y$j9T$TKCuCPZsnS.g3M8sPPFvo0$lxoGMooCH.Jyo5tXYEVAXNAlDV73Cj2haNFnrhjmAo6
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnap6I+g8xQvSZReP3CjwQ+O7okDhgCkrHaUCveOH8I marcus@caracola'
# --- # ---
# vars used by roles/common/tasks/users-systemfiles.yml # vars used by roles/common/tasks/users-systemfiles.yml
@@ -203,6 +217,8 @@ samba_netbios_name: ZAPATA
samba_server_min_protocol: !!str NT1 samba_server_min_protocol: !!str NT1
samba_allow_insecure_wide_links: !!str yes
samba_groups: samba_groups:
- name: buero - name: buero
group_id: 1100 group_id: 1100
@@ -258,6 +274,12 @@ samba_user:
6631333038306462610a356535633265633563633962333137326533633834636331343562633765 6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631 3631
- name: carlotta
groups:
- buero
- beratung
password: '20_car-lotta.25%'
- name: cristina - name: cristina
groups: groups:
- buero - buero
@@ -275,6 +297,12 @@ samba_user:
- buero - buero
password: '20-printer-18' password: '20-printer-18'
- name: hanna
groups:
- buero
- beratung
password: '6UR9+#anna-25'
- name: hannes - name: hannes
groups: groups:
- buero - buero
@@ -384,6 +412,7 @@ samba_user:
groups: groups:
- buero - buero
- beratung - beratung
- verwaltung
password: '20_simon_18!' password: '20_simon_18!'
- name: ute - name: ute
@@ -411,6 +440,7 @@ samba_shares:
group_write_list: buero group_write_list: buero
file_create_mask: !!str 660 file_create_mask: !!str 660
dir_create_mask: !!str 2770 dir_create_mask: !!str 2770
wide_links: !!str yes
vfs_object_recycle: true vfs_object_recycle: true
recycle_path: '@Recycle' recycle_path: '@Recycle'
@@ -439,8 +469,8 @@ samba_shares:
path: /data/backup path: /data/backup
browseable: !!str yes browseable: !!str yes
read_only: !!str yes read_only: !!str yes
writeable: !!str no writeable: !!str no
guest_ok: !!str no guest_ok: !!str no
file_create_mask: !!str 0664 file_create_mask: !!str 0664
dir_create_mask: !!str 0755 dir_create_mask: !!str 0755
vfs_object_recycle: false vfs_object_recycle: false

102
hosts
View File

@@ -16,6 +16,7 @@ rage.so36.net ansible_user=ckubu
[no_ipt_firewall] [no_ipt_firewall]
lxc-host-kb.anw-kb.netz lxc-host-kb.anw-kb.netz
o13-git.oopen.de
o13-staging-board.oopen.de o13-staging-board.oopen.de
o25.oopen.de o25.oopen.de
o33.oopen.de o33.oopen.de
@@ -25,6 +26,7 @@ discourse.oopen.de
test-nd.oopen.de test-nd.oopen.de
formbricks-nd.oopen.de formbricks-nd.oopen.de
ga-st-mm.ga.netz
[dns_sinma] [dns_sinma]
@@ -40,8 +42,8 @@ gw-ah.oopen.de
gw-ak.oopen.de gw-ak.oopen.de
gw-akb.oopen.de gw-akb.oopen.de
gw-dissens.oopen.de gw-dissens.oopen.de
gw-dissens.oopen.de
gw-ebs.oopen.de gw-ebs.oopen.de
gw-fm.oopen.de
gw-elster.oopen.de gw-elster.oopen.de
gw-fhxb.oopen.de gw-fhxb.oopen.de
gw-ckubu.local.netz gw-ckubu.local.netz
@@ -58,7 +60,9 @@ gw-kb.oopen.de
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@@ -75,10 +79,14 @@ at-10-neu.ak.netz
ga-st-gw-ersatz.ga.netz ga-st-gw-ersatz.ga.netz
ga-st-gw.ga.netz ga-st-gw.ga.netz
ga-st-gw-neu.ga.netz
ga-al-gw.oopen.de ga-al-gw.oopen.de
ga-nh-gw.oopen.de ga-nh-gw.oopen.de
ga-gh-gw.oopen.de
gw-campus.oopen.de
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-kvm1.ga.netz ga-st-kvm1.ga.netz
ga-al-kvm2.ga.netz ga-al-kvm2.ga.netz
@@ -137,6 +145,9 @@ o13-web.oopen.de
# Freiheit für daniela # Freiheit für daniela
o14.oopen.de o14.oopen.de
# VBRG - Opferhilfefonds
o15.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
@@ -170,7 +181,6 @@ o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@@ -200,9 +210,6 @@ o31.oopen.de
mail.cadus.org mail.cadus.org
web.cadus.org web.cadus.org
# etventure
o32.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de o33.oopen.de
@@ -249,9 +256,6 @@ cp-flr.oopen.de
# Kotti-Coop e.V. # Kotti-Coop e.V.
o41.oopen.de o41.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# RAV # RAV
o42.oopen.de o42.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
@@ -259,6 +263,7 @@ mm-rav.oopen.de
# ND - prometheus, web # ND - prometheus, web
o43.oopen.de o43.oopen.de
formbricks-nd.oopen.de formbricks-nd.oopen.de
keycloak-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
@@ -338,6 +343,9 @@ o13-git.oopen.de
# Freiheit für daniela # Freiheit für daniela
o14.oopen.de o14.oopen.de
# VBRG - Opferhilfefonds
o15.oopen.de
o17.oopen.de o17.oopen.de
test.mx.oopen.de test.mx.oopen.de
test.mariadb.oopen.de test.mariadb.oopen.de
@@ -375,8 +383,7 @@ mm-migration.oopen.de
o24.oopen.de o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de ga-st-mm.ga.netz
mm-irights-migration.oopen.de
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@@ -406,9 +413,6 @@ o31.oopen.de
mail.cadus.org mail.cadus.org
web.cadus.org web.cadus.org
# etventure
o32.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de o33.oopen.de
@@ -456,9 +460,6 @@ cp-flr.oopen.de
o41.oopen.de o41.oopen.de
g.mx.oopen.de g.mx.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# RAV # RAV
o42.oopen.de o42.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
@@ -466,6 +467,7 @@ mm-rav.oopen.de
# ND - prometheus, web # ND - prometheus, web
o43.oopen.de o43.oopen.de
formbricks-nd.oopen.de formbricks-nd.oopen.de
keycloak-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
@@ -528,12 +530,18 @@ file-dissens.dissens.netz
gw-ebs.oopen.de gw-ebs.oopen.de
file-ebs.ebs.netz file-ebs.ebs.netz
# Faire Mobilitaet
gw-fm.oopen.de
file-fm.fm.netz
# Kanzlei Elster Jena # Kanzlei Elster Jena
gw-elster.oopen.de gw-elster.oopen.de
# - Kanzlei Kiel # - Kanzlei Kiel
gw-ah.oopen.de gw-ah.oopen.de
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
# Kanzlei Kreuzbergstraße # Kanzlei Kreuzbergstraße
gw-kb.oopen.de gw-kb.oopen.de
@@ -554,11 +562,15 @@ gw-d11.oopen.de
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-gw-ersatz.ga.netz ga-st-gw-ersatz.ga.netz
ga-st-gw.ga.netz ga-st-gw.ga.netz
ga-st-gw-neu.ga.netz
ga-al-gw.oopen.de ga-al-gw.oopen.de
ga-nh-gw.oopen.de ga-nh-gw.oopen.de
ga-gh-gw.oopen.de
gw-campus.oopen.de
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-services.ga.netz ga-st-services.ga.netz
ga-al-ws1.ga.netz ga-al-ws1.ga.netz
@@ -775,7 +787,6 @@ verdi-es.warenform.de
devel-php.wf.netz devel-php.wf.netz
devel-todo.wf.netz devel-todo.wf.netz
devel-repos.wf.netz
devel-wiki.wf.netz devel-wiki.wf.netz
devel-ruby.wf.netz devel-ruby.wf.netz
@@ -842,16 +853,13 @@ mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de ga-st-mm.ga.netz
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
# o29.oopen.de . Dissens # o29.oopen.de . Dissens
cl-dissens.oopen.de cl-dissens.oopen.de
# etventure
o32.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -879,11 +887,13 @@ cp-flr.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
# o43 - ND prometheus, web # o43 - ND prometheus, web
keycloak-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
# GA - Gemeinschaft Altensclirf # GA - Gemeinschaft Altensclirf
ga-st-services.ga.netz ga-st-services.ga.netz
ga-st-mm.ga.netz
# --- # ---
# Warenform server # Warenform server
@@ -892,6 +902,11 @@ ga-st-services.ga.netz
# server22 # server22
nd.warenform.de nd.warenform.de
# ---
# - Warenform Office
# ---
devel-repos.wf.netz
[mail_server] [mail_server]
@@ -972,7 +987,7 @@ mm-migration.oopen.de
# o24.oopen.de # o24.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de ga-st-mm.ga.netz
# o27.oopen.de # o27.oopen.de
mail.faire-mobilitaet.de mail.faire-mobilitaet.de
@@ -997,6 +1012,7 @@ g.mx.oopen.de
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
# --- # ---
@@ -1016,6 +1032,7 @@ verdi-django.warenform.de
mm-rav.oopen.de mm-rav.oopen.de
# o43 - ND app # o43 - ND app
keycloak-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
@@ -1066,7 +1083,7 @@ mm-migration.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de ga-st-mm.ga.netz
# Hetzner Cloud CX31 - AK # Hetzner Cloud CX31 - AK
@@ -1087,9 +1104,6 @@ cloud.akweb.de
web.cadus.org web.cadus.org
mail.cadus.org mail.cadus.org
# etventure
o32.oopen.de
# Nextcloud / DokuWiki VBER # Nextcloud / DokuWiki VBER
o34.oopen.de o34.oopen.de
@@ -1336,7 +1350,9 @@ o17.oopen.de
at-10-neu.ak.netz at-10-neu.ak.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@@ -1351,7 +1367,9 @@ zapata.opp.netz
file-blkr.blkr.netz file-blkr.blkr.netz
file-dissens.dissens.netz file-dissens.dissens.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
@@ -1405,9 +1423,6 @@ ga-al-kvm3.ga.netz
# Kotti-Coop e.V. # Kotti-Coop e.V.
o41.oopen.de o41.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# o43 - ND App # o43 - ND App
formbricks-nd.oopen.de formbricks-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
@@ -1437,7 +1452,6 @@ o27.oopen.de
o29.oopen.de o29.oopen.de
o30.oopen.de o30.oopen.de
o31.oopen.de o31.oopen.de
o32.oopen.de
o34.oopen.de o34.oopen.de
o35.oopen.de o35.oopen.de
o36.oopen.de o36.oopen.de
@@ -1461,6 +1475,7 @@ lxc-host-kb.anw-kb.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
file-blkr.blkr.netz file-blkr.blkr.netz
@@ -1545,7 +1560,7 @@ mm-migration.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de ga-st-mm.ga.netz
# - o27.oopen.de # - o27.oopen.de
cl-fm.oopen.de cl-fm.oopen.de
@@ -1560,9 +1575,6 @@ cl-dissens.oopen.de
meet.akweb.de meet.akweb.de
cloud.akweb.de cloud.akweb.de
# etventure
o32.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de o33.oopen.de
@@ -1606,6 +1618,7 @@ cp-flr.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
# o43 - ND # o43 - ND
keycloak-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
@@ -1617,7 +1630,9 @@ test-nd.oopen.de
at-10-neu.ak.netz at-10-neu.ak.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@@ -1628,6 +1643,7 @@ zapata.opp.netz
# - GA - Gemeinschaft Altensclirf # - GA - Gemeinschaft Altensclirf
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-mm.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-st-services.ga.netz ga-st-services.ga.netz
@@ -1748,7 +1764,6 @@ o24.oopen.de
cl-irights.oopen.de cl-irights.oopen.de
cl-irights-neu.oopen.de cl-irights-neu.oopen.de
mm-irights.oopen.de mm-irights.oopen.de
mm-irights-migration.oopen.de
# IL - PAD # IL - PAD
o25.oopen.de o25.oopen.de
@@ -1778,9 +1793,6 @@ o31.oopen.de
mail.cadus.org mail.cadus.org
web.cadus.org web.cadus.org
# etventure
o32.oopen.de
# BigBlueButton - O.OPEN # BigBlueButton - O.OPEN
o33.oopen.de o33.oopen.de
@@ -1828,9 +1840,6 @@ cp-flr.oopen.de
# Kotti-Coop e.V. # Kotti-Coop e.V.
o41.oopen.de o41.oopen.de
# AgR - Shop
shop-dev.aufstehen-gegen-rassismus.de
# RAV # RAV
o42.oopen.de o42.oopen.de
mm-rav.oopen.de mm-rav.oopen.de
@@ -1838,10 +1847,13 @@ mm-rav.oopen.de
# ND - prometheus, web # ND - prometheus, web
o43.oopen.de o43.oopen.de
formbricks-nd.oopen.de formbricks-nd.oopen.de
keycloak-nd.oopen.de
prometheus-nd.oopen.de prometheus-nd.oopen.de
web-nd.oopen.de web-nd.oopen.de
test-nd.oopen.de test-nd.oopen.de
# Gemeinchaft Altenschlirf
ga-st-mm.ga.netz
lxc-host-kb.anw-kb.netz lxc-host-kb.anw-kb.netz
@@ -1852,7 +1864,9 @@ lxc-host-kb.anw-kb.netz
at-10-neu.ak.netz at-10-neu.ak.netz
bbb-server.b3-bornim.netz bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ebs.ebs.netz file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz file-fhxb.fhxb.netz
file-km.anw-km.netz file-km.anw-km.netz
file-kb.anw-kb.netz file-kb.anw-kb.netz
@@ -1876,6 +1890,7 @@ gw-b3.oopen.de
gw-d11.oopen.de gw-d11.oopen.de
gw-dissens.oopen.de gw-dissens.oopen.de
gw-ebs.oopen.de gw-ebs.oopen.de
gw-fm.oopen.de
gw-elster.oopen.de gw-elster.oopen.de
gw-blkr.oopen.de gw-blkr.oopen.de
gw-ak.oopen.de gw-ak.oopen.de
@@ -1898,8 +1913,11 @@ k1371.dyndns.org
ga-st-gw-ersatz.ga.netz ga-st-gw-ersatz.ga.netz
ga-st-gw.ga.netz ga-st-gw.ga.netz
ga-st-gw-neu.ga.netz
ga-al-gw.oopen.de ga-al-gw.oopen.de
ga-nh-gw.oopen.de ga-nh-gw.oopen.de
ga-gh-gw.oopen.de
gw-campus.oopen.de
# Gateway/Firewall Server office network # Gateway/Firewall Server office network
@@ -1979,6 +1997,8 @@ ga-al-kvm2.ga.netz
ga-al-kvm3.ga.netz ga-al-kvm3.ga.netz
ga-al-relay.ga.netz ga-al-relay.ga.netz
ga-nh-gw.oopen.de.yml ga-nh-gw.oopen.de.yml
ga-gh-gw.oopen.de
gw-campus.oopen.de
ga-st-lxc1.ga.netz ga-st-lxc1.ga.netz
ga-st-mail.ga.netz ga-st-mail.ga.netz
ga-st-services.ga.netz ga-st-services.ga.netz

68
roles/ansible_dependencies-trixie/tasks/main.yml Normal file
View File

@@ -0,0 +1,68 @@
---
- name: Ensure python3 and python3-apt are present (bootstrap)
ansible.builtin.raw: |
test -x /usr/bin/python3 && dpkg -s python3-apt >/dev/null 2>&1 \
|| (apt-get update -y && apt-get install -y python3 python3-apt)
changed_when: false
# Ab dem Zeitpunkt in dem Python auf dem Zielsystem vorhanden ist,
# kann Ansible wieder normale Module (wie apt, file, service, copy, usw.) benutzen.
#
# Aber:
# Da gather_facts: false gesetzt war, hat Ansible bis hierher keine Systeminformationen (Facts) wie:
#
# ansible_distribution
#
# ansible_fqdn
#
# ansible_memtotal_mb
#
# ansible_interfaces
#
# etc.
# eingesammelt.
#
# Rufe das 'setup'-Modul manuell auf mit:
#
# - name: Enable facts now that Python exists
# ansible.builtin.setup:
#
# Damit holt Ansible nachträglich die Facts, jetzt, wo Python verfügbar ist.
#
- name: Enable facts now that Python exists
ansible.builtin.setup:
- name: Ensure aptitude is present (optional)
ansible.builtin.raw: |
test -x /usr/bin/aptitude || (apt-get update -y && apt-get install -y aptitude)
changed_when: false
when: (aptitude_needed | default(false)) | bool
- name: Update apt cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
- name: Fix half-configured packages (dpkg --configure -a)
ansible.builtin.command: dpkg --configure -a
register: dpkg_config
changed_when: (dpkg_config.stdout | default('')) | length > 0
when: (apt_dpkg_configure | default(true)) | bool
tags: [ansible-dependencies]
- name: Upgrade packages
ansible.builtin.apt:
upgrade: "{{ apt_upgrade_type | default('safe') }}"
update_cache: true
dpkg_options: "{{ (apt_upgrade_dpkg_options | default(['force-confdef','force-confold'])) | join(',') }}"
when: (apt_upgrade | default(false)) | bool
tags: [ansible-dependencies]
- name: Install Ansible dependencies
ansible.builtin.apt:
name: "{{ apt_ansible_dependencies_trixie | default(['python3','python3-apt']) }}"
state: "{{ apt_install_state | default('present') }}"
tags: [ansible-dependencies]

68
roles/ansible_dependencies-trixie/tasks/main.yml.01 Normal file
View File

@@ -0,0 +1,68 @@
---
- name: Ensure python3 and python3-apt are present (bootstrap)
ansible.builtin.raw: |
test -x /usr/bin/python3 && dpkg -s python3-apt >/dev/null 2>&1 \
|| (apt-get update -y && apt-get install -y python3 python3-apt)
changed_when: false
# Ab dem Zeitpunkt in dem Python auf dem Zielsystem vorhanden ist,
# kann Ansible wieder normale Module (wie apt, file, service, copy, usw.) benutzen.
#
# Aber:
# Da gather_facts: false gesetzt war, hat Ansible bis hierher keine Systeminformationen (Facts) wie:
#
# ansible_distribution
#
# ansible_fqdn
#
# ansible_memtotal_mb
#
# ansible_interfaces
#
# etc.
# eingesammelt.
#
# Rufe das 'setup'-Modul manuell auf mit:
#
# - name: Enable facts now that Python exists
# ansible.builtin.setup:
#
# Damit holt Ansible nachträglich die Facts, jetzt, wo Python verfügbar ist.
#
- name: Enable facts now that Python exists
ansible.builtin.setup:
- name: Ensure aptitude is present (optional)
ansible.builtin.raw: |
test -x /usr/bin/aptitude || (apt-get update -y && apt-get install -y aptitude)
changed_when: false
when: (aptitude_needed | default(false)) | bool
- name: Update apt cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
- name: Fix half-configured packages (dpkg --configure -a)
ansible.builtin.command: dpkg --configure -a
register: dpkg_config
changed_when: (dpkg_config.stdout | default('')) | length > 0
when: (apt_dpkg_configure | default(true)) | bool
tags: [ansible-dependencies]
- name: Upgrade packages
ansible.builtin.apt:
upgrade: "{{ apt_upgrade_type | default('safe') }}"
update_cache: true
dpkg_options: "{{ (apt_upgrade_dpkg_options | default(['force-confdef','force-confold'])) | join(',') }}"
when: (apt_upgrade | default(false)) | bool
tags: [ansible-dependencies]
- name: Install Ansible dependencies
ansible.builtin.apt:
name: "{{ apt_ansible_dependencies_trixie | default(['python3','python3-apt']) }}"
state: "{{ apt_install_state | default('present') }}"
tags: [ansible-dependencies]

72
roles/ansible_dependencies-trixie/tasks/main.yml.02 Normal file
View File

@@ -0,0 +1,72 @@
---
# --- Nur fürs Bootstrap, damit Python für Ansible verfügbar ist ---
- name: Ensure python3 and python3-apt are present (bootstrap)
ansible.builtin.raw: |
test -x /usr/bin/python3 || (apt-get -y update && apt-get install -y python3)
test -x /usr/bin/python3 && (apt-get -y update && apt-get install -y python3-apt)
changed_when: false
# Ab dem Zeitpunkt in dem Python auf dem Zielsystem vorhanden ist,
# kann Ansible wieder normale Module (wie apt, file, service, copy, usw.) benutzen.
#
# Aber:
# Da gather_facts: false gesetzt war, hat Ansible bis hierher keine Systeminformationen (Facts) wie:
#
# ansible_distribution
#
# ansible_fqdn
#
# ansible_memtotal_mb
#
# ansible_interfaces
#
# etc.
# eingesammelt.
#
# Rufe das 'setup'-Modul manuell auf mit:
#
# - name: Enable facts now that Python exists
# ansible.builtin.setup:
#
# Damit holt Ansible nachträglich die Facts, jetzt, wo Python verfügbar ist.
#
- name: Enable facts now that Python exists
ansible.builtin.setup:
# --- Ab hier normale Module verwenden ---
- name: Update APT cache
ansible.builtin.apt:
update_cache: true
cache_valid_time: "{{ apt_update_cache_valid_time | default(3600) }}"
tags: [ansible-dependencies]
- name: Ensure aptitude is present
ansible.builtin.apt:
name: aptitude
state: present
tags: [ansible-dependencies]
- name: dpkg --configure -a
ansible.builtin.command: dpkg --configure -a
register: dpkg_out
# "changed" nur, wenn es wirklich etwas ausgibt/konfiguriert
changed_when: dpkg_out.stdout is defined and dpkg_out.stdout | length > 0
when: apt_dpkg_configure | bool
tags: [ansible-dependencies]
- name: apt upgrade
ansible.builtin.apt:
upgrade: "{{ apt_upgrade_type }}"
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when: apt_upgrade | bool
tags: [ansible-dependencies]
- name: apt install ansible dependencies
ansible.builtin.apt:
name: "{{ apt_ansible_dependencies_trixie }}"
state: "{{ apt_install_state }}"
tags: [ansible-dependencies]

7
roles/common/files/etc/systemd/system/apache2.service.d/limits.conf Normal file
View File

@@ -0,0 +1,7 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# Custom Values overrides/adds values in 'mariadb.service'
#
[Service]
LimitNOFILE=1048576
LimitMEMLOCK=infinity

7
roles/common/files/etc/systemd/system/mariadb.service.d/limits.conf Normal file
View File

@@ -0,0 +1,7 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# Custom Values overrides/adds values in 'mariadb.service'
#
[Service]
LimitNOFILE=1048576
LimitMEMLOCK=infinity

4
roles/common/files/mailserver/etc/postfix/postfwd.cf
View File

@@ -169,8 +169,8 @@ id=RATE_CLIENT_ADDR
id=BLOCK_MSG_RCPT id=BLOCK_MSG_RCPT
&&INCOMING &&INCOMING
&&SASL_AUTH &&SASL_AUTH
recipient_count=50 recipient_count=90
action=REJECT Too many recipients, please reduce to less than 50 or consider using a mailing list. Error: BLOCK_MSG_RCPT action=REJECT Too many recipients, please reduce to less than 90 or consider using a mailing list. Error: BLOCK_MSG_RCPT
# Block users sending more than 50 messages/hour # Block users sending more than 50 messages/hour
id=RATE_MSG id=RATE_MSG

13
roles/common/handlers/main.yml
View File

@@ -99,3 +99,16 @@
name: ntpsec name: ntpsec
daemon_reload: yes daemon_reload: yes
state: restarted state: restarted
- name: Restart mariadb
service:
name: mariadb
daemon_reload: yes
state: restarted
- name: Restart apache2
service:
name: apache2
daemon_reload: yes
state: restarted

37
roles/common/tasks/apache2.yml Normal file
View File

@@ -0,0 +1,37 @@
---
# ---
# Apache2 Server
# ---
- name: Populate service facts
ansible.builtin.service_facts:
#- name: Print service facts
# ansible.builtin.debug:
# var: ansible_facts.services
# when:
# - ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'
- name: (apache2.yml) Ensure directory '/etc/systemd/system/apache2.service.d' is present
file:
path: /etc/systemd/system/apache2.service.d
state: directory
owner: root
group: root
mode: '0755'
when:
- ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'
- name: (apache2.yml) Ensure file '/etc/systemd/system/apache2.service.d/limits.conf' exists
copy:
src: 'etc/systemd/system/apache2.service.d/limits.conf'
dest: '/etc/systemd/system/apache2.service.d/limits.conf'
owner: root
group: root
mode: '0644'
notify: "Restart apache2"
when:
- ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'

55
roles/common/tasks/apt.yml
View File

@@ -8,7 +8,10 @@
group: root group: root
mode: 0644 mode: 0644
register: apt_config_updated register: apt_config_updated
when: apt_manage_sources_list|bool when:
- apt_manage_sources_list|bool
- ansible_facts['distribution'] == 'Debian'
- (ansible_facts['distribution_major_version'] | int) < 13
tags: tags:
- apt-configuration - apt-configuration
@@ -27,13 +30,11 @@
- apt-webserver-pkgs - apt-webserver-pkgs
- name: (apt.yml) dpkg --configure - name: (apt.yml) Configure any half-installed packages 'dpkg --configure -a'
command: > ansible.builtin.command: dpkg --configure -a
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure register: _dpkg_configure
changed_when: (_dpkg_configure.stdout | default('')) | length > 0
failed_when: _dpkg_configure.rc != 0
when: apt_dpkg_configure|bool when: apt_dpkg_configure|bool
tags: tags:
- apt-dpkg-configure - apt-dpkg-configure
@@ -105,6 +106,18 @@
- apt-initial-install - apt-initial-install
- name: (apt.yml) Initial install debian packages (trixie)
apt:
name: "{{ apt_initial_install_trixie }}"
state: "{{ apt_install_state }}"
when:
- apt_initial_install_trixie is defined and apt_initial_install_trixie|length > 0
- ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "13"
tags:
- apt-initial-install
- name: (apt.yml) Initial install ubuntu packages (bionic) - name: (apt.yml) Initial install ubuntu packages (bionic)
apt: apt:
name: "{{ apt_initial_install_bionic }}" name: "{{ apt_initial_install_bionic }}"
@@ -164,14 +177,14 @@
- apt-microcode - apt-microcode
- name: (apt.yml) Install CPU microcode (debian buster/bullseye/bookworm) - name: (apt.yml) Install CPU microcode (debian buster/bullseye/bookworm/trixie)
apt: apt:
name: "{{ microcode_package }}" name: "{{ microcode_package }}"
state: present state: present
default_release: "{{ ansible_distribution_release }}" default_release: "{{ ansible_distribution_release }}"
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" - ansible_facts['distribution_major_version'] == "10" or ansible_facts['distribution_major_version'] == "11" or ansible_facts['distribution_major_version'] == "12" or ansible_facts['distribution_major_version'] == "13"
- ansible_facts['processor']|string is search("Intel") - ansible_facts['processor']|string is search("Intel")
tags: tags:
- apt-initial-install - apt-initial-install
@@ -318,12 +331,24 @@
- apt-compiler-pkgs - apt-compiler-pkgs
- apt-webserver-pkgs - apt-webserver-pkgs
- name: (apt.yml) clean #- name: (apt.yml) clean
command: apt-get -y clean # command: apt-get -y clean
args: # args:
warn: false # warn: false
changed_when: false # changed_when: false
when: apt_clean|bool # when: apt_clean|bool
# tags:
# - apt-clean
# - apt-initial-install
# - apt-microcode
# - apt-compiler-pkgs
# - apt-mysql-server-pkgs
# - apt-webserver-pkgs
- name: (apt.yml) autoclean cache
ansible.builtin.apt:
autoclean: yes
when: apt_clean | bool
tags: tags:
- apt-clean - apt-clean
- apt-initial-install - apt-initial-install

11
roles/common/tasks/caching-nameserver.yml
View File

@@ -15,14 +15,11 @@
tags: tags:
- apt-caching-nameserver - apt-caching-nameserver
- name: (caching-nameserver.yml) Configure any half-installed packages 'dpkg --configure -a'
- name: (caching-nameserver.yml) dpkg --configure ansible.builtin.command: dpkg --configure -a
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure register: _dpkg_configure
changed_when: (_dpkg_configure.stdout | default('')) | length > 0
failed_when: _dpkg_configure.rc != 0
when: when:
- ansible_distribution == "Debian" - ansible_distribution == "Debian"
- apt_update|bool - apt_update|bool

3
roles/common/tasks/git.yml
View File

@@ -32,8 +32,7 @@
git: git:
repo: "{{ git_firewall_repository.repo }}" repo: "{{ git_firewall_repository.repo }}"
dest: "{{ git_firewall_repository.dest }}" dest: "{{ git_firewall_repository.dest }}"
#when: git_firewall_repository is defined and git_firewall_repository > 0 when: git_firewall_repository is defined and git_firewall_repository | length > 0
when: git_firewall_repository|bool
tags: tags:
- git-firewall-repository - git-firewall-repository

28
roles/common/tasks/main.yml
View File

@@ -56,6 +56,16 @@
tags: yum tags: yum
# tags supportetd inside caching-nameserver.yml
#
# apt-caching-nameserver
# yum-caching-nameserver
#
- import_tasks: caching-nameserver.yml
when: groups['caching_nameserver']|string is search(inventory_hostname)
tags: caching-nameserver
# tags supported inside systemd-resolved.yml # tags supported inside systemd-resolved.yml
# #
# systemd-resolved # systemd-resolved
@@ -270,16 +280,16 @@
tags: tags:
- redis-server - redis-server
- import_tasks: mysql.yml
when: groups['mysql_server']|string is search(inventory_hostname)
tags:
- mysql
- mariadb
# tags supportetd inside caching-nameserver.yml - import_tasks: apache2.yml
# when: groups['apache2_webserver']|string is search(inventory_hostname)
# apt-caching-nameserver tags:
# yum-caching-nameserver - apache2
#
- import_tasks: caching-nameserver.yml
when: groups['caching_nameserver']|string is search(inventory_hostname)
tags: caching-nameserver
- import_tasks: systemd-services_debian_based_OS.yml - import_tasks: systemd-services_debian_based_OS.yml
when: when:

37
roles/common/tasks/mysql.yml Normal file
View File

@@ -0,0 +1,37 @@
---
# ---
# MySQL / MariaDB Server
# ---
- name: Populate service facts
ansible.builtin.service_facts:
#- name: Print service facts
# ansible.builtin.debug:
# var: ansible_facts.services
# when:
# - ansible_facts['services']['mariadb.service']['name'] | default('not-found') != 'not-found'
- name: (mysql.yml) Ensure directory '/etc/systemd/system/mariadb.service.d' is present
file:
path: /etc/systemd/system/mariadb.service.d
state: directory
owner: root
group: root
mode: '0755'
when:
- ansible_facts['services']['mariadb.service']['name'] | default('not-found') != 'not-found'
- name: (mysql.yml) Ensure file '/etc/systemd/system/mariadb.service.d/limits.conf' exists
copy:
src: 'etc/systemd/system/mariadb.service.d/limits.conf'
dest: '/etc/systemd/system/mariadb.service.d/limits.conf'
owner: root
group: root
mode: '0644'
notify: "Restart mariadb"
when:
- ansible_facts['services']['mariadb.service']['name'] | default('not-found') != 'not-found'

13
roles/common/tasks/redis-server.yml
View File

@@ -15,17 +15,14 @@
tags: tags:
- redis-server - redis-server
- name: (redis-server.yml) Configure any half-installed packages 'dpkg --configure -a'
- name: (redis-server.yml) dpkg --configure ansible.builtin.command: dpkg --configure -a
command: >
dpkg --configure -a
args:
warn: false
changed_when: _dpkg_configure.stdout_lines | length
register: _dpkg_configure register: _dpkg_configure
changed_when: (_dpkg_configure.stdout | default('')) | length > 0
failed_when: _dpkg_configure.rc != 0
when: when:
- ansible_facts['distribution'] == "Debian" - ansible_facts['distribution'] == "Debian"
- apt_update|bool - apt_dpkg_configure|bool
tags: tags:
- redis-server - redis-server

82
roles/common/tasks/samba-config-server.yml
View File

@@ -92,14 +92,13 @@
# --- # ---
- name: (samba-config-server.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists - name: (samba-config-server.yml) Check if file '/root/bin/samba/clean_samba_trash.sh' exists
stat: ansible.builtin.stat:
path: /root/bin/samba/clean_samba_trash.sh path: /root/bin/samba/clean_samba_trash.sh
register: clean_samba_trash_exists register: clean_samba_trash_exists
when: when:
- "groups['samba_server']|string is search(inventory_hostname)" - inventory_hostname in groups['samba_server']
tags: tags: [samba-server, samba-cron]
- samba-server
- samba-cron
- name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh' - name: (samba-config-server.yml) Adjust configuration for script 'clean_samba_trash.sh'
template: template:
@@ -114,36 +113,33 @@
- name: (samba-config-server.yml) Check if cleaning up trash dirs is configured - name: (samba-config-server.yml) Check if cleaning up trash dirs is configured
lineinfile: ansible.builtin.lineinfile:
path: /root/bin/samba/conf/clean_samba_trash.conf path: /root/bin/samba/conf/clean_samba_trash.conf
regexp: "^trash_dirs=*" regexp: '^trash_dirs=*'
state: absent state: absent
check_mode: yes check_mode: true
changed_when: false changed_when: false
register: clean_samba_trash_dirs register: clean_samba_trash_dirs
when: when:
- "groups['samba_server']|string is search(inventory_hostname)" - inventory_hostname in groups['samba_server']
tags: tags: [samba-server, samba-cron]
- samba-server
- samba-cron
- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs - name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs
cron: ansible.builtin.cron:
name: '{{ samba_cronjob_trash_dirs.name }}' name: "{{ samba_cronjob_trash_dirs.name }}"
minute: '{{ samba_cronjob_trash_dirs.minute }}' minute: "{{ samba_cronjob_trash_dirs.minute }}"
hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}" hour: "{{ samba_cronjob_trash_dirs.hour | default('*') }}"
day: "{{ samba_cronjob_trash_dirs.hour.day | default('*') }}" day: "{{ samba_cronjob_trash_dirs.day | default('*') }}"
month: "{{ samba_cronjob_trash_dirs.hour.month| default('*') }}" month: "{{ samba_cronjob_trash_dirs.month | default('*') }}"
weekday: "{{ samba_cronjob_trash_dirs.hour.weekday| default('*') }}" weekday: "{{ samba_cronjob_trash_dirs.weekday | default('*') }}"
user: "{{ samba_cronjob_trash_dirs.user | default('root') }}" user: "{{ samba_cronjob_trash_dirs.user | default('root') }}"
job: "{{ samba_cronjob_trash_dirs.job }}" job: "{{ samba_cronjob_trash_dirs.job }}"
when: when:
- "groups['samba_server']|string is search(inventory_hostname)" - inventory_hostname in groups['samba_server']
- clean_samba_trash_exists.stat.exists|bool and clean_samba_trash_dirs.found - clean_samba_trash_exists.stat.exists | bool
tags: - (clean_samba_trash_dirs.found | int) > 0
- samba-server tags: [samba-server, samba-cron]
- samba-cron
# --- # ---
@@ -151,41 +147,37 @@
# --- # ---
- name: (samba-config-server.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists - name: (samba-config-server.yml) Check if file '/root/bin/samba/set_permissions_samba_shares.sh' exists
stat: ansible.builtin.stat:
path: /root/bin/samba/set_permissions_samba_shares.sh path: /root/bin/samba/set_permissions_samba_shares.sh
register: set_permissions_on_samba_shares_exists register: set_permissions_on_samba_shares_exists
when: when:
- "groups['samba_server']|string is search(inventory_hostname)" - inventory_hostname in groups['samba_server']
tags: tags: [samba-server, samba-cron]
- samba-server
- samba-cron
- name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh' - name: (samba-config-server.yml) Adjust configuration for script 'set_permissions_samba_shares.sh'
template: ansible.builtin.template:
dest: /root/bin/samba/conf/set_permissions_samba_shares.conf dest: /root/bin/samba/conf/set_permissions_samba_shares.conf
src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2 src: root/bin/samba/conf/set_permissions_samba_shares.conf.j2
when: when:
- "groups['samba_server']|string is search(inventory_hostname)" - inventory_hostname in groups['samba_server']
- set_permissions_on_samba_shares_exists.stat.exists|bool - set_permissions_on_samba_shares_exists.stat.exists | bool
tags: tags: [samba-server, samba-cron]
- samba-server
- samba-cron
- name: (samba-config-server.yml) Creates a cron job for cleaning up samba trash dirs - name: (samba-config-server.yml) Creates a cron job for setting permissions to samba dirs
cron: ansible.builtin.cron:
name: '{{ samba_cronjob_permissions.name }}' name: "{{ samba_cronjob_permissions.name }}"
minute: '{{ samba_cronjob_permissions.minute }}' minute: "{{ samba_cronjob_permissions.minute }}"
hour: "{{ samba_cronjob_permissions.hour | default('*') }}" hour: "{{ samba_cronjob_permissions.hour | default('*') }}"
day: "{{ samba_cronjob_permissions.day | default('*') }}" day: "{{ samba_cronjob_permissions.day | default('*') }}"
month: "{{ samba_cronjob_permissions.month| default('*') }}" month: "{{ samba_cronjob_permissions.month | default('*') }}"
weekday: "{{ samba_cronjob_permissions.weekday| default('*') }}" weekday: "{{ samba_cronjob_permissions.weekday | default('*') }}"
user: "{{ samba_cronjob_permissions.user | default('root') }}" user: "{{ samba_cronjob_permissions.user | default('root') }}"
job: "{{ samba_cronjob_permissions.job }}" job: "{{ samba_cronjob_permissions.job }}"
when: when:
- "groups['samba_server']|string is search(inventory_hostname)" - inventory_hostname in groups['samba_server']
- clean_samba_trash_dirs.found - (clean_samba_trash_dirs.found | int) > 0 # << int -> bool
tags: tags: [samba-server, samba-cron]
- samba-server
- samba-cron

393
roles/common/tasks/users-systemfiles.yml
View File

@@ -17,6 +17,7 @@
local_action: stat path={{ inventory_dir }}/files/homedirs/root local_action: stat path={{ inventory_dir }}/files/homedirs/root
register: local_template_dir_root register: local_template_dir_root
# -- # --
# Copy .bashrc # Copy .bashrc
# --- # ---
@@ -40,22 +41,40 @@
tags: tags:
- bash - bash
- name: (users-systemfiles.yml) copy .bashrc if it exists # 1. Prüfen, ob für jeden User ein lokales _bashrc existiert
copy: - name: (users-systemfiles.yml) stat user _bashrc
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') }}" ansible.builtin.stat:
dest: "~{{ item.item.name }}/.bashrc" path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_bashrc"
owner: "{{ item.item.name }}" delegate_to: localhost
group: "{{ item.item.name }}" become: false
mode: 0644 loop: "{{ default_user }}"
loop: "{{ local_template_dir_default_user.results }}" register: bashrc_stats
loop_control: loop_control:
label: '{{ item.item.name }}' label: '{{ item.name }}'
# 2. Falls vorhanden, Datei kopieren
- name: (users-systemfiles.yml) copy .bashrc if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_bashrc"
dest: "~{{ user.name }}/.bashrc"
owner: "{{ user.name }}"
group: "{{ user.name }}"
mode: '0644'
loop: "{{ default_user | zip(bashrc_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when: when:
- item.stat.exists - stat_result.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bashrc') vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags: tags:
- bash - bash
# --
# -- root user
# --
- name: (users-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists - name: (users-systemfiles.yml) Check if file '/root/.bashrc.ORIG' exists
stat: stat:
path: /root/.bashrc.ORIG path: /root/.bashrc.ORIG
@@ -69,19 +88,28 @@
tags: tags:
- bash - bash
- name: (users-systemfiles.yml) copy .bashrc for user root # 1) Prüfen ob die _bashrc für root auf dem Control-Node existiert
copy: - name: stat root _bashrc on control node
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc') }}" ansible.builtin.stat:
dest: "/root/.bashrc" path: "{{ inventory_dir }}/files/homedirs/root/_bashrc"
delegate_to: localhost
become: false
register: bashrc_root_stat
# 2) Wenn vorhanden, kopieren wir sie nach /root/.bashrc auf dem Zielhost
- name: copy root .bashrc if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_bashrc"
dest: /root/.bashrc
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
when: become: true
- local_template_dir_root.stat.exists when: bashrc_root_stat.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_bashrc')
tags: tags:
- bash - bash
# -- # --
# Copy .profile (Debian System) # Copy .profile (Debian System)
# --- # ---
@@ -108,23 +136,41 @@
- item.stat.exists == False - item.stat.exists == False
tags: tags:
- profile - profile
- name: (users-systemfiles.yml) copy .profile if it exists
copy: # 1. Prüfen, ob für jeden User ein lokales _profile existiert
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') }}" - name: (users-systemfiles.yml) stat user _profile
dest: "~{{ item.item.name }}/.profile" ansible.builtin.stat:
owner: "{{ item.item.name }}" path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_profile"
group: "{{ item.item.name }}" delegate_to: localhost
mode: 0644 become: false
loop: "{{ local_template_dir_default_user.results }}" loop: "{{ default_user }}"
register: profile_stats
loop_control: loop_control:
label: '{{ item.item.name }}' label: '{{ item.name }}'
# 2. Falls vorhanden, Datei kopieren
- name: (users-systemfiles.yml) copy .profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_profile"
dest: "~{{ user.name }}/.profile"
owner: "{{ user.name }}"
group: "{{ user.name }}"
mode: '0644'
loop: "{{ default_user | zip(profile_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when: when:
- ansible_facts['distribution'] == "Debian" - stat_result.stat.exists
- item.stat.exists vars:
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_profile') user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags: tags:
- profile - bash
# --
# -- root user
# --
- name: (users-systemfiles.yml) Check if file '/root/.profile.ORIG' exists - name: (users-systemfiles.yml) Check if file '/root/.profile.ORIG' exists
stat: stat:
@@ -143,19 +189,27 @@
tags: tags:
- profile - profile
- name: (users-systemfiles.yml) copy .profile for user root
copy: # 1) Prüfen ob die _profile für root auf dem Control-Node existiert
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile') }}" - name: stat root _profile on control node
dest: "/root/.profile" ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/_profile"
delegate_to: localhost
become: false
register: profile_root_stat
# 2) Wenn vorhanden, kopieren wir sie nach /root/.profile auf dem Zielhost
- name: copy root .profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_profile"
dest: /root/.profile
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
when: become: true
- ansible_facts['distribution'] == "Debian" when: profile_root_stat.stat.exists
- local_template_dir_root.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_profile')
tags: tags:
- profile - bash
# -- # --
# Copy .bash_profile (CentOS/Fedora?/RedHat? System) # Copy .bash_profile (CentOS/Fedora?/RedHat? System)
@@ -184,23 +238,43 @@
tags: tags:
- profile - profile
- name: (users-systemfiles.yml) copy .bash_profile if it exists
copy: # 1. Prüfen, ob für jeden User ein lokales _bash_profile existiert
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bash_profile') }}" - name: (users-systemfiles.yml) stat user _bash_profile
dest: "~{{ item.item.name }}/.bash_profile" ansible.builtin.stat:
owner: "{{ item.item.name }}" path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_bash_profile"
group: "{{ item.item.name }}" delegate_to: localhost
mode: 0644 become: false
loop: "{{ local_template_dir_default_user.results }}" loop: "{{ default_user }}"
register: bash_profile_stats
loop_control: loop_control:
label: '{{ item.item.name }}' label: '{{ item.name }}'
when: when:
- ansible_facts['distribution'] == "CentOS" - ansible_facts['distribution'] == "CentOS"
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_bash_profile')
tags:
- profile
# 2. Falls vorhanden, Datei kopieren
- name: (users-systemfiles.yml) copy .bash_profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_bash_profile"
dest: "~{{ user.name }}/.bash_profile"
owner: "{{ user.name }}"
group: "{{ user.name }}"
mode: '0644'
loop: "{{ default_user | zip(bash_profile_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- ansible_facts['distribution'] == "CentOS"
- stat_result.stat.exists
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags:
- bash
# --
# -- root user
# --
- name: (users-systemfiles.yml) Check if file '/root/.bash_profile.ORIG' exists - name: (users-systemfiles.yml) Check if file '/root/.bash_profile.ORIG' exists
stat: stat:
@@ -219,94 +293,171 @@
tags: tags:
- profile - profile
- name: (users-systemfiles.yml) copy .bash_profile for user root
copy: # 1) Prüfen ob die _bash_profile für root auf dem Control-Node existiert
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_bash_profile') }}" - name: stat root _bash_profile on control node
dest: "/root/.bash_profile" ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/_bash_profile"
delegate_to: localhost
become: false
register: bash_profile_root_stat
when:
- ansible_facts['distribution'] == "CentOS"
# 2) Wenn vorhanden, kopieren wir sie nach /root/.bash_profile auf dem Zielhost
- name: copy root .bash_profile if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_bash_profile"
dest: /root/.bash_profile
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
when: become: true
when:
- ansible_facts['distribution'] == "CentOS" - ansible_facts['distribution'] == "CentOS"
- local_template_dir_root.stat.exists - bash_profile_root_stat.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_bash_profile')
tags: tags:
- profile - bash
# -- # --
# Copy .vimrc # Copy .vimrc
# --- # ---
- name: (users-systemfiles.yml) copy .vimrc if it exists # 1. Prüfen, ob für jeden User ein lokales _vimrc existiert
copy: - name: (users-systemfiles.yml) stat user _vimrc
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc') }}" ansible.builtin.stat:
dest: "~{{ item.item.name }}/.vimrc" path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/_vimrc"
owner: "{{ item.item.name }}" delegate_to: localhost
group: "{{ item.item.name }}" become: false
mode: 0644 loop: "{{ default_user }}"
loop: "{{ local_template_dir_default_user.results }}" register: vimrc_stats
loop_control:
label: '{{ item.item.name }}'
when:
- item.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/' + item.item.name + '/_vimrc')
tags:
- vim
- name: (users-systemfiles.yml) Check if .vim directory exists for default users
local_action: stat path={{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim
with_items: "{{ default_user }}"
loop_control: loop_control:
label: '{{ item.name }}' label: '{{ item.name }}'
register: local_template_dir_dotvim_default_user
- name: (users-systemfiles.yml) copy .vim directory if it exists # 2. Falls vorhanden, Datei kopieren
copy: - name: (users-systemfiles.yml) copy .vimrc if it exists
src: "{{ inventory_dir + '/files/homedirs/' + item.item.name + '/.vim' }}" ansible.builtin.copy:
dest: "~{{ item.item.name }}" src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/_vimrc"
owner: "{{ item.item.name }}" dest: "~{{ user.name }}/.vimrc"
group: "{{ item.item.name }}" owner: "{{ user.name }}"
mode: 0644 group: "{{ user.name }}"
with_items: "{{ local_template_dir_dotvim_default_user.results }}" mode: '0644'
loop: "{{ default_user | zip(vimrc_stats.results) | list }}"
loop_control: loop_control:
label: '{{ item.item.name }}' label: "{{ user.name }}"
when: when:
- item.stat.exists - stat_result.stat.exists
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags: tags:
- vim - bash
- name: (users-systemfiles.yml) copy .vimrc for user root # 1) Lokal prüfen, ob ~/.vim existiert
copy: - name: (users-systemfiles.yml) stat local .vim for each user
src: "{{ lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc') }}" ansible.builtin.stat:
dest: "/root/.vimrc" path: "{{ inventory_dir }}/files/homedirs/{{ item.name }}/.vim"
delegate_to: localhost
become: false
loop: "{{ default_user }}"
register: dotvim_stats
loop_control:
label: "{{ item.name }}"
# 2) Wenn vorhanden, .vim-Verzeichnis ins Home des Users kopieren
- name: (users-systemfiles.yml) copy .vim directory if it exists
ansible.builtin.copy:
# Wichtig: KEINE verschachtelten {{ ... }} im String
src: "{{ inventory_dir }}/files/homedirs/{{ user.name }}/.vim"
dest: "~{{ user.name }}/"
mode: preserve # oder weglassen; 0644 wäre für Verzeichnisse falsch
become: true
loop: "{{ default_user | zip(dotvim_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- stat_result.stat.exists | bool
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags: [vim]
# 3) Ownership/Gruppe rekursiv korrigieren (falls gewünscht/erforderlich)
- name: (users-systemfiles.yml) ensure ownership on ~/.vim recursively
ansible.builtin.file:
path: "~{{ user.name }}/.vim"
owner: "{{ user.name }}"
group: "{{ user.name }}"
recurse: true
state: directory
become: true
loop: "{{ default_user | zip(dotvim_stats.results) | list }}"
loop_control:
label: "{{ user.name }}"
when:
- stat_result.stat.exists | bool
vars:
user: "{{ item.0 }}"
stat_result: "{{ item.1 }}"
tags: [vim]
# --
# -- root user
# --
# 1) Prüfen ob die _vimrc für root auf dem Control-Node existiert
- name: stat root _vimrc on control node
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/_vimrc"
delegate_to: localhost
become: false
register: vimrc_root_stat
# 2) Wenn vorhanden, kopieren wir sie nach /root/.vimrc auf dem Zielhost
- name: copy root .vimrc if it exists
ansible.builtin.copy:
src: "{{ inventory_dir }}/files/homedirs/root/_vimrc"
dest: /root/.vimrc
owner: root owner: root
group: root group: root
mode: 0644 mode: '0644'
become: true
when: when:
- local_template_dir_root.stat.exists - vimrc_root_stat.stat.exists
- lookup('fileglob', inventory_dir + '/files/homedirs/root/_vimrc')
tags: tags:
- vim - bash
# 1) Lokal prüfen, ob ./files/homedirs/root/.vim existiert
- name: (users-systemfiles.yml) stat local .vim for root
ansible.builtin.stat:
path: "{{ inventory_dir }}/files/homedirs/root/.vim"
delegate_to: localhost
become: false
register: root_dotvim_stat
tags: [vim]
- name: (users-systemfiles.yml) Check if local template directory .vim exists for user root # 2) Wenn vorhanden, nach /root/ kopieren
local_action: stat path={{ inventory_dir }}/files/homedirs/root/.vim - name: (users-systemfiles.yml) copy root .vim directory if it exists
register: local_template_dir_vim_root ansible.builtin.copy:
with_items: 'root' src: "{{ inventory_dir }}/files/homedirs/root/.vim"
loop_control: dest: "/root/"
label: 'root' mode: preserve # oder weglassen; nicht 0644 bei Verzeichnissen
become: true
when:
- root_dotvim_stat.stat.exists | bool
tags: [vim]
- name: (users-systemfiles.yml) copy .vim directory for user root if it exists # 3) Ownership sicherstellen (rekursiv)
copy: - name: (users-systemfiles.yml) ensure ownership on /root/.vim recursively
src: "{{ inventory_dir + '/files/homedirs/root/.vim' }}" ansible.builtin.file:
dest: "/root" path: "/root/.vim"
owner: "root" owner: "root"
group: "root" group: "root"
mode: 0644 recurse: true
with_items: "{{ local_template_dir_vim_root.results }}" state: directory
loop_control: become: true
label: 'root'
when: when:
- item.stat.exists - root_dotvim_stat.stat.exists | bool
tags: tags: [vim]
- vim

13
roles/common/templates/etc/bind/named.conf.options.j2
View File

@@ -52,6 +52,14 @@ options {
any; any;
}; };
allow-query {
127.0.0.1;
::1 ;
{% for acl in acl_caching_nameserver %}
{{ acl.name }};
{% endfor %}
};
allow-recursion { allow-recursion {
127.0.0.1; 127.0.0.1;
::1 ; ::1 ;
@@ -69,6 +77,11 @@ options {
::1; ::1;
}; };
allow-query {
127.0.0.1;
::1;
};
allow-recursion { allow-recursion {
127.0.0.1; 127.0.0.1;
::1; ::1;

44
roles/common/templates/etc/samba/smb.conf.j2
View File

@@ -269,6 +269,30 @@
# public shares, not just authenticated ones # public shares, not just authenticated ones
usershare allow guests = yes usershare allow guests = yes
# In normal operation the option wide links which allows the server to follow
# symlinks outside of a share path is automatically disabled when unix extensions
# are enabled on a Samba server. This is done for security purposes to prevent
# UNIX clients creating symlinks to areas of the server file system that the
# administrator does not wish to export.
#
# Setting allow insecure wide links to true disables the link between these two
# parameters, removing this protection and allowing a site to configure the server
# to follow symlinks (by setting wide links to "true") even when unix extensions is
# turned on.
#
# It is not recommended to enable this option unless you fully understand the
# implications of allowing the server to follow symbolic links created by UNIX clients.
# For most normal Samba configurations this would be considered a security hole and
# setting this parameter is not recommended.
#
# This option was added at the request of sites who had deliberately set Samba up
# in this way and needed to continue supporting this functionality without having to
# patch the Samba code.
#
# Default: allow insecure wide links = no
#
allow insecure wide links = {{ samba_allow_insecure_wide_links|default('no') }}
#======================= Share Definitions ======================= #======================= Share Definitions =======================
# {{ ansible_managed }} # {{ ansible_managed }}
@@ -368,6 +392,26 @@
force group = +{{ item.group_write_list }} force group = +{{ item.group_write_list }}
{% endif %} {% endif %}
{%- if item.wide_links is defined and item.wide_links|length > 0 %}
# This parameter controls whether or not links in the UNIX file system may be
# followed by the server. Links that point to areas within the directory tree
# exported by the server are always allowed; this parameter controls access only to
# areas that are outside the directory tree being exported.
#
# Note: Turning this parameter on when UNIX extensions are enabled will allow UNIX
# clients to create symbolic links on the share that can point to files or
# directories outside restricted path exported by the share definition. This can
# cause access to areas outside of the share. Due to this problem, this paramete
# will be automatically disabled (with a message in the log file) if the unix
# extensions option is on.
#
# See the parameter allow insecure wide links if you wish to change this coupling
# between the two parameters.
#
# Default: wide links = no
#
wide links = yes
{% endif %}
{% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %} {% if item.vfs_object_recycle is defined and item.vfs_object_recycle|bool %}
{% if item.recycle_path is defined and item.recycle_path|length > 0 %} {% if item.recycle_path is defined and item.recycle_path|length > 0 %}

4
roles/common/templates/usr/local/src/mailsystem/conf/install_postfix_advanced.conf.j2
View File

@@ -36,7 +36,7 @@ _SASL_PASS=
_RELAY_HOST=true _RELAY_HOST=true
_SYMPA_LIST_SERVER=true _SYMPA_LIST_SERVER=true
{% else %} {% else %}
_RELAY_HOST="{{ is_relay_host | default('false') }}" _RELAY_HOST={{ is_relay_host | default('false') }}
_SYMPA_LIST_SERVER=false _SYMPA_LIST_SERVER=false
{% endif %} {% endif %}
_INSTALL_DMARC_REPORT_SUPPORT={{ support_dmarc_reporting | default('false') }}

70
roles/modify-ipt-gateway/tasks/main.yml
View File

@@ -141,52 +141,62 @@
# Add additional SMTP ports OUT # Add additional SMTP ports OUT
# --- # ---
- name: Check if String 'smtpd_additional_outgoung_ports..' (IPv4) is present - name: Check if String 'allow_ipmi_request_in..' (IPv4) is present
shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv4.conf shell: grep -q -E "^#?allow_ipmi_request_in=" /etc/ipt-firewall/main_ipv4.conf
register: smtpd_additional_outgoung_ports_ipv4_present register: allow_ipmi_request_in_ipv4_present
when: main_ipv4_exists.stat.exists when: main_ipv4_exists.stat.exists
failed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 1" failed_when: "allow_ipmi_request_in_ipv4_present.rc > 1"
changed_when: "smtpd_additional_outgoung_ports_ipv4_present.rc > 0" changed_when: "allow_ipmi_request_in_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (FreeIPA Service) - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_ipmi_request_in)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*mail_user_ports' insertafter: '^#?\s*ipmi_tcp_ports='
block: | block: |
# - Allow Access to IPMI Interfaces from outside
# Additional Ports for outgoing smtp traffic # -
# # - Note:
# blank separated list of ports # - In addition, ports
# # -
smtpd_additional_outgoung_ports="" # - TCP :443, 3520, 5900
marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)" # - UDP: 623
# -
# - must be forwarded to the IP address of the IPMI network interface in the router (e.g., Fritzbox).
# -
allow_ipmi_request_in=false
marker: "# Marker set by modify-ipt-gateway.yml (allow_ipmi_request_in)"
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- smtpd_additional_outgoung_ports_ipv4_present is changed - allow_ipmi_request_in_ipv4_present is changed
- name: Check if String 'smtpd_additional_outgoung_ports..' (IPv6) is present - name: Check if String 'allow_ipmi_request_in..' (IPv6) is present
shell: grep -q -E "^#?smtpd_additional_outgoung_ports=" /etc/ipt-firewall/main_ipv6.conf shell: grep -q -E "^#?allow_ipmi_request_in=" /etc/ipt-firewall/main_ipv6.conf
register: smtpd_additional_outgoung_ports_ipv6_present register: allow_ipmi_request_in_ipv6_present
when: main_ipv6_exists.stat.exists when: main_ipv6_exists.stat.exists
failed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 1" failed_when: "allow_ipmi_request_in_ipv6_present.rc > 1"
changed_when: "smtpd_additional_outgoung_ports_ipv6_present.rc > 0" changed_when: "allow_ipmi_request_in_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (FreeIPA Service) - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_ipmi_request_in)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*mail_user_ports=' insertafter: '^#?\s*ipmi_tcp_ports='
block: | block: |
# - Allow Access to IPMI Interfaces from outside
# Additional Ports for outgoing smtp traffic # -
# # - Note:
# blank separated list of ports # - In addition, ports
# # -
smtpd_additional_outgoung_ports="" # - TCP :443, 3520, 5900
marker: "# Marker set by modify-ipt-gateway.yml (FreeIPA Service)" # - UDP: 623
# -
# - must be forwarded to the IP address of the IPMI network interface in the router (e.g., Fritzbox).
# -
allow_ipmi_request_in=false
marker: "# Marker set by modify-ipt-gateway.yml (allow_ipmi_request_in)"
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- smtpd_additional_outgoung_ports_ipv6_present is changed - allow_ipmi_request_in_ipv6_present is changed
# --- # ---

156
roles/modify-ipt-server/tasks/ipt-server.yml
View File

@@ -99,67 +99,153 @@
# === # ===
# --- # ---
# Add additional SMTP ports (OUT and IN) # Add support for MNDP and mDNS Traffic
# --- # ---
- name: Check if String 'smtpd_additional_listen_ports=..' is present - name: Check if String 'drop_mndp=..' is present
shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv4.conf shell: grep -q -E "^drop_mndp=" /etc/ipt-firewall/main_ipv4.conf
register: smtpd_additional_listen_ports_ipv4_present register: drop_mndp_ipv4_present
when: main_ipv4_exists.stat.exists when: main_ipv4_exists.stat.exists
failed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 1" failed_when: "drop_mndp_ipv4_present.rc > 1"
changed_when: "smtpd_additional_listen_ports_ipv4_present.rc > 0" changed_when: "drop_mndp_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (smtpd_additional_listen_ports) - name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (drop_mndp)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*forward_smtpd_ips' insertafter: '^#?\s*drop_icmp'
block: | block: |
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic # -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# #
# blank separated list of ports # Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
# #
smtpd_additional_outgoung_ports="" # Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)" # (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
marker: "# Marker set by modify-ipt-server.yml (drop_mndp)"
when: when:
- main_ipv4_exists.stat.exists - main_ipv4_exists.stat.exists
- smtpd_additional_listen_ports_ipv4_present is changed - drop_mndp_ipv4_present is changed
notify: notify:
- Restart IPv4 Firewall - Restart IPv4 Firewall
- name: Check if String 'smtpd_additional_listen_ports=..' is present - name: Check if String 'drop_mndp=..' is present
shell: grep -q -E "^smtpd_additional_listen_ports=" /etc/ipt-firewall/main_ipv6.conf shell: grep -q -E "^drop_mndp=" /etc/ipt-firewall/main_ipv6.conf
register: smtpd_additional_listen_ports_ipv6_present register: drop_mndp_ipv6_present
when: main_ipv6_exists.stat.exists when: main_ipv6_exists.stat.exists
failed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 1" failed_when: "drop_mndp_ipv6_present.rc > 1"
changed_when: "smtpd_additional_listen_ports_ipv6_present.rc > 0" changed_when: "drop_mndp_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (smtpd_additional_listen_ports) - name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (drop_mndp)
blockinfile: blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*forward_smtpd_ips' insertafter: '^#?\s*drop_icmp'
block: | block: |
# Additional Ports on which SMTP Service should lsiten
#
# blank separated list of ports
#
smtpd_additional_listen_ports=""
# Additional Ports for outgoing smtp traffic # -------------
# --- Drop Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# --- Drop Tinc VPN Traffic
# -------------
# Tinc VPN Traffic / Mikrotik RouterOS Neighbor Discovery Protocol (MNDP) Traffic
# #
# blank separated list of ports # Der UDP-Port 5678 wird üblicherweise von Tinc VPN verwendet. Tinc ist ein
# Open-Source-VPN-Softwarepaket, das für die Erstellung von Virtual Private
# Networks (VPNs) eingesetzt wird, bei denen Netzwerke über das Internet oder
# andere unsichere Netzwerke miteinander verbunden werden. Es nutzt diesen
# Port, um Verbindungen zwischen den Knoten (Nodes) des VPNs zu ermöglichen.
# #
smtpd_additional_outgoung_ports="" # Der UDP-Port 5678 wird auch von MikroTik RouterOS Neighbor Discovery Protocol
marker: "# Marker set by modify-ipt-server.yml (smtpd_additional_listen_ports)" # (NDP) verwendet. Dieses Protokoll wird von MikroTik-Routern eingesetzt, um
# benachbarte Geräte im Netzwerk zu entdecken und automatisch zu erkennen. Es
# hilft dabei, die Kommunikation zwischen MikroTik-Geräten zu erleichtern, ohne
# dass eine manuelle IP-Konfiguration erforderlich ist.
#
# MikroTik Neighbor Discovery über UDP-Port 5678 ist speziell darauf ausgelegt,
# Router und Geräte im selben lokalen Netzwerk (LAN) zu identifizieren und
# Informationen über benachbarte MikroTik-Geräte auszutauschen. Dies ist besonders
# nützlich für die Verwaltung und Konfiguration von MikroTik-Geräten im Netzwerk.
#
# Zusammengefasst:
# Der UDP-Port 5678 wird sowohl für MikroTik RouterOS Neighbor Discovery als auch
# für Tinc VPN verwendet, je nachdem, welche Technologie zum Einsatz kommt.
#
drop_mndp=true
# -------------
# --- Drop Multicast DNS Traffic
# -------------
# Multicast Domain Name System (mDNS) protocol
#
# UDP Port 5353/
#
# Der UDP-Port 5353 wird hauptsächlich für Multicast DNS (mDNS) verwendet.
# mDNS ist ein Protokoll, das es Geräten ermöglicht, sich im lokalen Netzwerk
# selbst zu identifizieren und ohne zentrale DNS-Server Namen zu registrieren
# und aufzulösen. Dies wird häufig in lokalen Netzwerken eingesetzt, z.B. bei
# Geräten, die mit Apple's Bonjour oder Avahi (einer Open-Source-Implementierung
# von mDNS) kommunizieren.
#
# UDP port 5353 is mainly used for multicast DNS (mDNS). mDNS is a protocol that
# allows devices to identify themselves on the local network and register and
# resolve names without central DNS servers. This is often used in local
# networks, e.g. for devices that communicate using Apple's Bonjour or Avahi
# (an open-source implementation of mDNS).
#
drop_mdns=true
marker: "# Marker set by modify-ipt-server.yml (drop_mndp)"
when: when:
- main_ipv6_exists.stat.exists - main_ipv6_exists.stat.exists
- smtpd_additional_listen_ports_ipv6_present is changed - drop_mndp_ipv6_present is changed
notify: notify:
- Restart IPv6 Firewall - Restart IPv6 Firewall

4
templates/apt-migrate-to-trixie/99-backports.j2 Normal file
View File

@@ -0,0 +1,4 @@
# Backports nicht automatisch bevorzugen
Package: *
Pin: release n={{ target_release }}-backports
Pin-Priority: {{ backports_pin_priority }}

8
templates/apt-migrate-to-trixie/backports.sources.j2 Normal file
View File

@@ -0,0 +1,8 @@
# Verwaltet via Ansible - Backports für {{ target_release }}
Types: deb deb-src
URIs: {{ debian_mirror }}
Suites: {{ target_release }}-backports
Components: {{ components }}
{% if use_signed_by %}
Signed-By: {{ signed_by_keyring }}
{% endif %}

15
templates/apt-migrate-to-trixie/debian.sources.j2 Normal file
View File

@@ -0,0 +1,15 @@
# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }}
Types: deb deb-src
URIs: {{ debian_mirror }}
Suites: {{ target_release }} {{ target_release }}-updates
Components: {{ components }}
Signed-By: default
EOF
# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }}
Types: deb deb-src
URIs: {{ debian_mirror }}
Suites: {{ target_release }} {{ target_release }}-updates
Components: {{ components }}
{% if use_signed_by %}
Signed-By: {{ signed_by_keyring }}
{% endif %}

8
templates/apt-migrate-to-trixie/security.sources.j2 Normal file
View File

@@ -0,0 +1,8 @@
# Verwaltet via Ansible - Security für {{ target_release }}
Types: deb deb-src
URIs: {{ security_mirror }}
Suites: {{ target_release }}-security
Components: {{ components }}
{% if use_signed_by %}
Signed-By: {{ signed_by_keyring }}
{% endif %}