ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: ansible:a41467f6d416bf6223d6b13bc820ffb686a7a130
Branches Tags
ansible:master
..
compare: ansible:master
Branches Tags
ansible:master

22 Commits
a41467f6d4 ... master

Author SHA1 Message Date
Christoph
8064f4a2fe Add extrepo tasks for managing external repositories in Debian 2026-03-30 10:37:45 +02:00
Christoph
9ef1c94855 Add devcontainer configuration for Ansible development environment 2026-03-27 15:25:47 +01:00
Christoph
28d6cfe5da Add VSCode settings for Python and Ansible environment configuration 2026-03-27 15:25:34 +01:00
Christoph
c94baae7ff Clean up whitespace and formatting in main.yml for improved readability 2026-03-27 15:12:08 +01:00
Christoph
b201a21105 Refactor apache2.yml for consistency and clarity in task definitions 2026-03-27 14:56:14 +01:00
Christoph
a7ae583c20 Add VSCode settings for Python environment configuration 2026-03-27 12:21:47 +01:00
Christoph
5d6f0cca16 Add host variables configuration for cl-nd.oopen.de 2026-03-27 12:02:29 +01:00
Christoph
4016b33d63 Add cron job configurations for system maintenance and monitoring 2026-03-27 12:02:14 +01:00
Christoph
71f429d8aa Fix check for host-specific git vars file before including 2026-03-27 11:59:40 +01:00
Christoph
816c64783e Add iuser vmalte 2026-03-25 20:41:54 +01:00
Christoph
d7283cad63 update.. 2026-03-23 21:45:20 +01:00
Christoph
90786f2faf update.. 2026-03-20 00:04:46 +01:00
Christoph
3e39731465 Update.. 2026-03-15 15:42:06 +01:00
Christoph
3a7ad06202 Update host configurations 2026-03-10 11:32:56 +01:00
Christoph
055290e555 Update: Replace deprecated ansible_os_family with ansible_facts.os_family 
- x2go-server.yml: Updated condition to use ansible_facts.os_family
- upgrade.yml: Updated all conditions and commented lines
- caching-nameserver.yml: Updated RedHat OS family checks

Fixes deprecation warning in Ansible 2.12+
 2026-03-10 11:09:25 +01:00
Christoph
94d7f4e1fb update.. 2026-03-01 16:20:09 +01:00
Christoph
72d4fae731 update.. 2026-03-01 15:23:24 +01:00
Christoph
084a483cf2 update.. 2026-02-22 00:23:30 +01:00
Christoph
7238579d9c update.. 2026-02-14 14:29:00 +01:00
Christoph
f9652dbbf9 update.. 2026-02-10 11:54:07 +01:00
Christoph
b6097221e7 update-- 2026-02-09 14:23:32 +01:00
Christoph
8fe4047694 update.. 2026-02-04 23:25:58 +01:00
103 changed files with 4161 additions and 7025 deletions
Expand all files Collapse all files

0
.codex Normal file
View File

16
.devcontainer/devcontainer.json Normal file
View File

@@ -0,0 +1,16 @@
{
"name": "Ansible Development",
"image": "mcr.microsoft.com/devcontainers/python:3.12",
"features": {
"ghcr.io/devcontainers/features/ansible:1": {}
},
"customizations": {
"vscode": {
"extensions": [
"redhat.ansible",
"ms-python.python"
]
}
},
"postCreateCommand": "pip install ansible-lint"
}

18
.vscode/settings.json vendored Normal file
View File

@@ -0,0 +1,18 @@
{
"python-envs.pythonProjects": [
{
"path": ".",
"envManager": "ms-python.python:venv",
"packageManager": "ms-python.python:pip"
}
],
"python.defaultInterpreterPath": "${workspaceFolder}/.venv/bin/python",
"python.pythonPath": "${workspaceFolder}/.venv/bin/python", // legacy fallback for older Python extension versions
// Keep these Ansible executable paths absolute: parts of the extension use them verbatim.
"ansible.ansiblePath": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible", // legacy fallback for older Ansible extension versions
"ansible.ansibleLintPath": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible-lint", // legacy fallback for older Ansible extension versions
"ansible.ansible.path": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible",
"ansible.python.interpreterPath": "${workspaceFolder}/.venv/bin/python3",
"ansible.validation.lint.path": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible-lint",
"ansible.ansibleNavigator.path": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible-navigator"
}

18
.vscode/settings.json.bak.20260327-152321 vendored Normal file
View File

@@ -0,0 +1,18 @@
{
"python-envs.pythonProjects": [
{
"path": ".",
"envManager": "ms-python.python:venv",
"packageManager": "ms-python.python:pip"
}
],
"python.defaultInterpreterPath": "${workspaceFolder}/.venv/bin/python",
"python.pythonPath": "${workspaceFolder}/.venv/bin/python", // legacy fallback for older Python extension versions
// Keep these Ansible executable paths absolute: parts of the extension use them verbatim.
"ansible.ansiblePath": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible", // legacy fallback for older Ansible extension versions
"ansible.ansibleLintPath": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible-lint", // legacy fallback for older Ansible extension versions
"ansible.ansible.path": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible",
"ansible.python.interpreterPath": "${workspaceFolder}/.venv/bin/python3",
"ansible.validation.lint.path": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible-lint",
"ansible.ansibleNavigator.path": "/home/chris/devel/git/git.oopen.de/ansible/oopen-server/.venv/bin/ansible-navigator"
}

26
decrypt-interactiv.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env bash
# Prüfen, ob ein Dateiname als Argument übergeben wurde
if [ -z "$1" ]; then
echo "Usage: $0 <filename>"
exit 1
fi
DATEI="$1"
# Prüfen, ob ansible-vault existiert und ausführbar ist
if ! command -v ansible-vault >/dev/null 2>&1; then
echo "Fehler: 'ansible-vault' ist nicht installiert oder nicht im PATH."
exit 2
fi
# Prüfen, ob die angegebene Datei existiert
if [ ! -f "$DATEI" ]; then
echo "Fehler: Datei '$DATEI' existiert nicht."
exit 3
fi
# Befehl ausführen
ansible-vault decrypt --ask-vault-pass "$DATEI"
exit 0

169
decrypt-vault-strings-from-file.sh
View File

@@ -1,54 +1,181 @@
#!/usr/bin/env bash
#
# decrypt-vault-strings-from-file.sh
#
# Zweck:
# - Entschlüsselt entweder:
# (A) eine komplett mit ansible-vault verschlüsselte Datei (ANSIBLE_VAULT Header)
# (B) einzelne YAML "!vault |" Blöcke in einer Datei (z.B. group_vars/host_vars)
# (C) einen einzelnen verschlüsselten String (Argument, Pipe oder interaktiv)
#
# Erwartet eine Vault-Passwortdatei unter: ~/.vault-pass
#
set -euo pipefail
########################################
# Hilfe anzeigen
########################################
show_help() {
cat <<EOF
Usage:
$(basename "$0") [OPTION] [INPUT]
Decrypt modes:
1) Full vault-encrypted file (ANSIBLE_VAULT header):
$(basename "$0") secrets.vault
2) YAML file containing one or multiple "!vault |" blocks:
$(basename "$0") group_vars/all.yml
3) Encrypted vault string:
$(basename "$0") 'secret: !vault | \$ANSIBLE_VAULT;1.1;AES256 ...'
echo 'secret: !vault | ...' | $(basename "$0")
4) Interactive mode (paste, then Ctrl-D):
$(basename "$0")
Options:
-h, --help Show this help and exit
Notes:
- This script prints decrypted values to stdout.
EOF
}
########################################
# Hauptfunktion
########################################
vdecr() {
unset IFS
if [[ -n "$1" ]]; then
# --- Help Flag innerhalb der Funktion (falls rekursiv aufgerufen) ---
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
show_help
return 0
fi
# Prüfen ob ansible-vault existiert
if ! command -v ansible-vault >/dev/null 2>&1; then
echo "Error: ansible-vault not found in PATH." >&2
return 1
fi
########################################
# Wenn ein Argument übergeben wurde
########################################
if [[ -n "${1:-}" ]]; then
# --- Fall 1: Argument ist eine Datei ---
if [[ -f "$1" ]]; then
if [[ $(head -n1 "$1") == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
cat "$1" | ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
# Wenn Datei eine "komplett verschlüsselte" Vault-Datei ist
# (Header ist die erste Zeile)
if [[ "$(head -n1 "$1")" == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
# Vollständige Datei entschlüsseln und ausgeben
ansible-vault decrypt "$1" 2>/dev/null
return 0
fi
# --- Fall 2: Datei enthält einzelne "!vault" Blöcke (z.B. YAML) ---
printf 'Reading vault values from file...\n\n'
# parsing = 0 -> wir sind nicht im Vault-Block
# parsing = 1 -> wir sammeln gerade Vault-Block-Zeilen
local parsing=0
local result=""
local name=""
local blue=$(tput setaf 4)
local discard=$(tput sgr0)
for line in $(cat $1); do
if [[ $(echo "$line" | grep -c "\!vault") -gt 0 ]] && [[ $parsing -eq 0 ]]; then
# Farbausgabe (blau) für den jeweiligen Key/Name
local blue
local discard
blue="$(tput setaf 4 || true)"
discard="$(tput sgr0 || true)"
# Originalscript hat "for line in \$(cat file)" verwendet,
# was nach Whitespace tokenisiert. Um das Verhalten kontrollierter
# beizubehalten, tokenisieren wir hier ebenfalls nach Whitespace:
#
# - Das hilft, wenn Vault-Blöcke eingerückt sind oder YAML Zeichen enthält,
# weil später ohnehin per sed weiter "normalisiert" wird.
#
# WICHTIG: Das ist nicht "echtes" YAML-Parsing, sondern best-effort.
while IFS= read -r token; do
# Start eines vault blocks erkennen (Token enthält "!vault")
if [[ "$(echo "$token" | grep -c "\!vault")" -gt 0 ]] && [[ $parsing -eq 0 ]]; then
parsing=1
elif [[ $parsing -eq 1 ]] && [[ $( echo $line | grep -c ":") -eq 0 ]]; then
result=$(printf "${result}\n${line}")
# Im Vault-Block: Token ohne ":" werden gesammelt (Ciphertext-Zeilen)
elif [[ $parsing -eq 1 ]] && [[ "$(echo "$token" | grep -c ":")" -eq 0 ]]; then
result="$(printf "%s\n%s" "$result" "$token")"
# Sonst: Blockende / neuer Bereich
else
if [[ $result != "" ]]; then
printf "\n\n${blue}$name${discard}\n"
printf "$result" | vdecr
# Wenn wir einen gesammelten Block haben -> ausgeben und decrypten
if [[ -n "$result" ]]; then
printf "\n\n%s%s%s\n" "$blue" "$name" "$discard"
# Rekursiver Aufruf: der gesammelte Block wird wie "Stringinput"
# behandelt und im unteren Abschnitt entschlüsselt
printf "%s" "$result" | vdecr
name=""
result=""
parsing=0
fi
fi
if [[ $( echo "$line" | grep -c ":") -eq 1 ]]; then
name="$line"
# Token mit ":" als "Name" merken (typischerweise YAML key:)
if [[ "$(echo "$token" | grep -c ":")" -eq 1 ]]; then
name="$token"
fi
done
# Tokenisierung nach Whitespace (ähnlich dem Original)
done < <(tr -s '[:space:]' '\n' < "$1")
return 0
fi
# --- Fall 3: Argument ist ein String ---
local str="$1"
# --- Fall 4: String kommt per Pipe (stdin ist kein TTY) ---
elif [[ ! -t 0 ]]; then
local str=$(cat)
local str
str="$(cat)"
# --- Fall 5: Interaktiv ---
else
printf 'Interactive mode. Paste encrypted string and press Ctrl-D two times to confirm.\n'
local str=$(cat)
local str
str="$(cat)"
printf '\n'
fi
printf -- "$str" | sed 's/ /\n/g' | \
sed '/---\|^.*:\|\!vault\||\|^$/d' | \
ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
########################################
# String entschlüsseln
#
# Das Script erwartet, dass der Input evtl. als YAML-Fragment kommt,
# und "normalisiert" ihn so, dass ansible-vault decrypt damit klarkommt:
#
# - ersetzt Spaces durch Newlines
# - entfernt YAML-Deko wie "---", "key:", "!vault", "|", leere Zeilen
# - piped den Rest in "ansible-vault decrypt"
########################################
printf -- "%s" "$str" | \
sed 's/ /\n/g' | \
sed '/---\|^.*:\|\!vault\||\|^$/d' | \
ansible-vault decrypt 2>/dev/null
printf '\n'
}
vdecr $1
########################################
# Main
########################################
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
show_help
exit 0
fi
vdecr "${1:-}"

55
decrypt-vault-strings-from-file.sh.00 Executable file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env bash
vdecr() {
unset IFS
if [[ -n "$1" ]]; then
if [[ -f "$1" ]]; then
if [[ $(head -n1 "$1") == "\$ANSIBLE_VAULT;1.1;AES256" ]]; then
cat "$1" | ansible-vault decrypt 2> /dev/null
return 0
fi
printf 'Reading vault values from file...\n\n'
local parsing=0
local result=""
local name=""
local blue=$(tput setaf 4)
local discard=$(tput sgr0)
for line in $(cat $1); do
if [[ $(echo "$line" | grep -c "\!vault") -gt 0 ]] && [[ $parsing -eq 0 ]]; then
parsing=1
elif [[ $parsing -eq 1 ]] && [[ $( echo $line | grep -c ":") -eq 0 ]]; then
result=$(printf "${result}\n${line}")
else
if [[ $result != "" ]]; then
printf "\n\n${blue}$name${discard}\n"
printf "$result" | vdecr
name=""
result=""
parsing=0
fi
fi
if [[ $( echo "$line" | grep -c ":") -eq 1 ]]; then
name="$line"
fi
done
return 0
fi
local str="$1"
elif [[ ! -t 0 ]]; then
local str=$(cat)
else
printf 'Interactive mode. Paste encrypted string and press Ctrl-D two times to confirm.\n'
local str=$(cat)
printf '\n'
fi
printf -- "$str" | sed 's/ /\n/g' | \
sed '/---\|^.*:\|\!vault\||\|^$/d' | \
#ansible-vault decrypt --vault-password-file ~/.vault-pass 2> /dev/null
ansible-vault decrypt 2> /dev/null
printf '\n'
}
vdecr $1

26
encrypt-interactiv.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env bash
# Prüfen, ob ein Dateiname als Argument übergeben wurde
if [ -z "$1" ]; then
echo "Usage: $0 <filename>"
exit 1
fi
DATEI="$1"
# Prüfen, ob ansible-vault existiert und ausführbar ist
if ! command -v ansible-vault >/dev/null 2>&1; then
echo "Fehler: 'ansible-vault' ist nicht installiert oder nicht im PATH."
exit 2
fi
# Prüfen, ob die angegebene Datei existiert
if [ ! -f "$DATEI" ]; then
echo "Fehler: Datei '$DATEI' existiert nicht."
exit 3
fi
# Befehl ausführen
ansible-vault encrypt --ask-vault-pass "$DATEI"
exit 0

7
encrypt-vault-string.sh Executable file
View File

@@ -0,0 +1,7 @@
#!/usr/bin/env bash
set -euo pipefail
read -r -s -p "String zum Verschlüsseln: " PLAINTEXT
echo
printf '%s' "$PLAINTEXT" | ansible-vault encrypt_string --stdin-name 'secret'

192
encrypt-vault-strings-from-file.sh Executable file
View File

@@ -0,0 +1,192 @@
#!/usr/bin/env bash
#
# encrypt-vault-strings-to-file.sh
#
# Gegenstück zu deinem Decrypt-Script.
#
# Funktionen:
# 1. Komplettes File mit ansible-vault encrypt verschlüsseln
# 2. YAML-Datei mit key: value Zeilen in key: !vault | Blöcke umwandeln
# 3. Einzelnen String verschlüsseln (Argument, Pipe oder interaktiv)
#
# Vault-Passwortdatei: ~/.vault-pass
#
set -euo pipefail
########################################
# Hilfe anzeigen
########################################
show_help() {
cat <<EOF
Usage:
$(basename "$0") [OPTION] [INPUT]
Modes:
1) File encrypt (in-place):
$(basename "$0") secrets.txt
2) YAML file (key: value → !vault block):
$(basename "$0") vars.yml
$(basename "$0") -o output.yml vars.yml
3) String encrypt:
$(basename "$0") 'mySecret'
echo 'mySecret' | $(basename "$0")
$(basename "$0") (interactive mode)
Options:
-o FILE Write YAML output to FILE instead of stdout
-h, --help Show this help and exit
Notes:
- Simple "key: value" YAML lines will be converted.
- Already encrypted (!vault) entries are preserved.
- Full vault-encrypted files (ANSIBLE_VAULT header) are detected.
EOF
}
########################################
# Hauptfunktion
########################################
vencr() {
unset IFS
# --- Help Flag ---
if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
show_help
exit 0
fi
########################################
# Optionales Output-File (-o)
########################################
local out_file=""
if [[ "${1:-}" == "-o" && -n "${2:-}" ]]; then
out_file="$2"
shift 2
fi
########################################
# --- 1) File als Argument ---
########################################
if [[ -n "${1:-}" && -f "$1" ]]; then
local f="$1"
# Fall A: Datei ist bereits vollständig vault-verschlüsselt
if [[ "$(head -n1 "$f")" == "\$ANSIBLE_VAULT;1.1;AES256"* ]]; then
echo "File already encrypted (ANSIBLE_VAULT header found): $f" >&2
return 0
fi
# Fall B: YAML mit key: value Zeilen
if grep -Eq '^[[:space:]]*[A-Za-z0-9_.-]+:[[:space:]]*[^#].*$' "$f"; then
local tmpout
tmpout="$(mktemp)"
# Datei zeilenweise lesen
while IFS= read -r line || [[ -n "$line" ]]; do
# Leere Zeilen oder Kommentare unverändert übernehmen
if [[ -z "$line" || "$line" =~ ^[[:space:]]*# ]]; then
printf '%s\n' "$line" >> "$tmpout"
continue
fi
# Bereits verschlüsselte !vault Einträge nicht verändern
if echo "$line" | grep -q '\!vault'; then
printf '%s\n' "$line" >> "$tmpout"
continue
fi
# Einfache key: value Zeilen erkennen
if [[ "$line" =~ ^([[:space:]]*)([A-Za-z0-9_.-]+):[[:space:]]*(.+)$ ]]; then
local indent="${BASH_REMATCH[1]}"
local key="${BASH_REMATCH[2]}"
local value="${BASH_REMATCH[3]}"
# YAML-Blockindikatoren nicht verändern
if [[ "$value" == "|" || "$value" == ">" || "$value" == "" ]]; then
printf '%s\n' "$line" >> "$tmpout"
continue
fi
# Leichte Bereinigung von Quotes
value="${value%\"}"; value="${value#\"}"
value="${value%\'}"; value="${value#\'}"
# Verschlüsselung via ansible-vault encrypt_string
while IFS= read -r enc_line; do
printf '%s%s\n' "$indent" "$enc_line" >> "$tmpout"
done < <(
printf '%s' "$value" |
ansible-vault encrypt_string \
--stdin-name "$key"
)
else
# Nicht passende Zeilen unverändert übernehmen
printf '%s\n' "$line" >> "$tmpout"
fi
done < "$f"
# Output schreiben
if [[ -n "$out_file" ]]; then
mv "$tmpout" "$out_file"
echo "Encrypted YAML written to: $out_file" >&2
else
cat "$tmpout"
rm -f "$tmpout"
fi
return 0
fi
# Fall C: Normale Datei → komplett verschlüsseln (in-place)
ansible-vault encrypt "$f"
echo "Encrypted file in-place: $f" >&2
return 0
fi
########################################
# --- 2) String-Verschlüsselung ---
########################################
local str=""
local name="secret"
# String als Argument
if [[ -n "${1:-}" ]]; then
str="$1"
# String via Pipe
elif [[ ! -t 0 ]]; then
str="$(cat)"
# Interaktiver Modus
else
echo "Interactive mode."
read -r -p "Variable name (default: secret): " name_in
if [[ -n "$name_in" ]]; then
name="$name_in"
fi
echo "Paste plaintext and press Ctrl-D to confirm:"
str="$(cat)"
echo
fi
# Ausgabe als YAML-kompatibler !vault Block
echo "Hallo"
printf '%s' "$str" | ansible-vault encrypt_string --stdin-name "$name"
}
########################################
# Script starten
########################################
vencr "$@"

4
group_vars/all/main.yml
View File

@@ -2238,7 +2238,7 @@ resolved_nameserver:
resolved_domains:
- oopen.de
resolved_dnssec: true
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
@@ -2348,7 +2348,7 @@ default_user:
- name: localadmin
user_id: 1051
group_id: 1051
group: sysadm
group: localadmin
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:

4
host_vars/a.mx.oopen.de.yml
View File

@@ -159,10 +159,6 @@ copy_plain_files:
src_path: a.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: a.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf

7
host_vars/b.mx.oopen.de.yml
View File

@@ -151,13 +151,6 @@ root_ssh_keypair:
copy_plain_files:
# /root/bin/monitoring
#
- name: monitoring_check_webservice_load.conf
src_path: b.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf

2
host_vars/backup.oopen.de.yml
View File

@@ -271,6 +271,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRaUsGqBvZBDzyh1kuldC/jdbtuoXFgBZ7PbgSqytSn root@cl-fm'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEvmOpsiL+eiJ3qZVDJiUCFVZge0OQJ1hpZgw7pJ8sq5 root@cl-irights'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIjr0aBl2KQTJnlVK03DOs0u+IXSon4VewwAzzSBsmVW root@cl-lubax'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhwPCxVHqABXzyXwVuqbH703RCU0N+SC/cx4TuoHhGU root@cl-nd'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL7h6rR+q5bRh/qgzA7ZyiZcRr9vMbo7cxhQsoukWmUn root@cl-vbrg'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcHQfSVG8DM1qHp2ce73ZBWXknZGZFur5s27V58T7ON root@cl-opp'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIClnyNS5RQsbXmgOX7NU7i154DElOlha3y0ybF6FwScT root@cl-test'
@@ -331,6 +332,7 @@ default_user:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB4J/cF/pB9cWyWEKmyTkVEDocPHH3ZMNHdoiqcOmsfp root@o41'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDW54VI+M5SjV6dQLew/IA31RI1GOneIqg5dI1/VZQgJ root@o42'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII2b60T/OXKCoze083GsHXuMFtm8Zo3WnCFb9Q9ofGie root@o43'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPytU2q7RmehrJyRnXRIZp7qcoswSANsClJP8v3zv6D7 root@o44'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUnxlKIffm8a5BmoQE40h8ut0R6eCxcm+Iewv3evmE9 root@oolm-shop'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ylglAkPst7G6kES2lE96ECp0AGXGjzCVkZSqGVru6 root@oolm-shop-dev'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZ0WNd3rTqHH1tiXAELwssGw6xUP1ROdhgxKbMinYY root@oolm-web'

4
host_vars/c.mx.oopen.de.yml
View File

@@ -164,10 +164,6 @@ copy_plain_files:
src_path: c.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: c.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf

84
host_vars/cl-fm.oopen.de.yml
View File

@@ -99,6 +99,90 @@ resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
cron_user_entries:
- name: "Check if webservices sre running. Restart if necessary"
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_webservice_load.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
minute: '*/5'
hour: '*'
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Optimize mysql tables"
minute: '53'
hour: '04'
job: /root/bin/mysql/optimize_mysql_tables.sh
- name: "Flush query cache for mysql tables"
minute: '27'
hour: '04'
job: /root/bin/mysql/flush_query_cache.sh
- name: "Flush Host cache"
minute: '17'
hour: '05'
job: /root/bin/mysql/flush_host_cache.sh
- name: "Run occ file:scan for each cloud account"
minute: '02'
hour: '22'
job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.faire-mobilitaet.de
- name: "Background job for nextcloud instance 'cloud-irights.oopen.de"
minute: '*/15'
hour: '*'
job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.faire-mobilitaet.de/htdocs/cron.php
- name: "Check if certificates for coolwsd service are up to date"
minute: '17'
hour: '05'
job: /root/bin/nextcloud/check_cert_coolwsd.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---

235
host_vars/cl-nd.oopen.de.yml Normal file
View File

@@ -0,0 +1,235 @@
---
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_permit_root_login: !!str "prohibit-password"
# ---
# vars used by apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.2
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff:/root/bin:/usr/local/apache2/bin:/usr/local/php/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
cron_user_entries:
- name: "Check if webservices sre running. Restart if necessary"
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_webservice_load.sh
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors.."
minute: '*/5'
hour: '*'
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Optimize mysql tables"
minute: '53'
hour: '04'
job: /root/bin/mysql/optimize_mysql_tables.sh
- name: "Flush query cache for mysql tables"
minute: '27'
hour: '04'
job: /root/bin/mysql/flush_query_cache.sh
- name: "Flush Host cache"
minute: '17'
hour: '05'
job: /root/bin/mysql/flush_host_cache.sh
- name: "Run occ file:scan for each cloud account"
minute: '02'
hour: '23'
job: /root/bin/nextcloud/occ_maintenance.sh -s cloud.nd.digital
- name: "Background job for nextcloud instance 'cloud-irights.oopen.de"
minute: '*/15'
hour: '*'
job: sudo -u "www-data" /usr/local/php/bin/php -f /var/www/cloud.nd.digital/htdocs/cron.php
- name: "Check if certificates for coolwsd service are up to date"
minute: '17'
hour: '05'
job: /root/bin/nextcloud/check_cert_coolwsd.sh
- name: "Generate/Renew Let's Encrypt Certificates if needed (using dehydrated script)"
minute: '23'
hour: '05'
job: /var/lib/dehydrated/cron/dehydrated_cron.sh
- name: "Check whether all certificates are included in the VHOST configurations"
minute: '33'
hour: '05'
job: /var/lib/dehydrated/tools/update_ssl_directives.sh
# ---
# vars used by roles/common/tasks/users.yml
# ---
sudo_users:
- chris
- sysadm
- localadmin
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_privileges:
- name: back
entry: 'ALL=(www-data) NOPASSWD: /usr/local/php/bin/php'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
#
# see: roles/common/tasks/vars
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---

4
host_vars/d.mx.oopen.de.yml
View File

@@ -153,10 +153,6 @@ root_ssh_keypair:
copy_plain_files:
- name: monitoring_check_webservice_load.conf
src_path: d.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
- name: postfix_create_opendkim_key.conf
src_path: d.mx/root/bin/postfix/conf/create_opendkim_key.conf
dest_path: /root/bin/postfix/conf/create_opendkim_key.conf

4
host_vars/e.mx.oopen.de.yml
View File

@@ -157,10 +157,6 @@ copy_plain_files:
src_path: e.mx/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: e.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
- name: postfix_create_opendkim_key.conf
src_path: e.mx/root/bin/postfix/conf/create_opendkim_key.conf
dest_path: /root/bin/postfix/conf/create_opendkim_key.conf

652
host_vars/file-ah-neu.kanzlei-kiel.netz.yml
View File

@@ -1,652 +0,0 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device eno1np0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 7c:c2:55:c0:26:74
description:
address: 192.168.100.20
netmask: 24
gateway: 192.168.100.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 192.168.100.1
#search: kanzlei-kiel.netz
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: eno1np0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up:
- !!str "ip link set dev eno1np0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.100.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- kanzlei-kiel.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: 9xFXkdPR_2
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
# password: Iar-zrq4wG.2
- name: winadm
user_id: 1055
group_id: 1055
group: winadm
append: true
groups:
- sysadm
home: /home/winadm
password: $y$j9T$FIN.5hpIbyFh/zx8a3xVZ.$jn9b12BUW57PEXGp3288t/dVBB7glyTgj/58QyYOG7D
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF7MKFmJ2kJrNs5DhlPqfizZgz3wNpzFAITo63p/VBOe root@file-ah'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIItQLQ7lhBY2USF4Jcp4teF+1NydI73VeHYbQW8q4Mcw root@gw-ah'
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if postfix mailservice is running. Restart service if needed."
minute: "*/5"
hour: "*"
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors."
minute: "*/30"
hour: "*"
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Clean up Samba Trash Dirs"
minute: "02"
hour: "23"
job: /root/bin/samba/clean_samba_trash.sh
- name: "Set (group and access) Permissons for Samba shares"
minute: "14"
hour: "23"
job: /root/bin/samba/set_permissions_samba_shares.sh
- name: "Check if ntpsec is running. Restart service if needed."
minute: "*/6"
hour: "*"
job: /root/bin/monitoring/check_ntpsec_service.sh
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
#cron_user_special_time_entries:
#
# - name: "Restart DNS Cache service 'systemd-resolved'"
# special_time: reboot
# job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
# insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/nfs.yml
# ---
nfs_server: 192.168.100.20
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.100.20
samba_server_cidr_prefix: 24
samba_workgroup: AH-NEU
samba_netbios_name: FILE-AH-NEU
samba_groups:
- name: verwaltung
group_id: 120
- name: intern
group_id: 121
- name: hoffmann-elberling
group_id: 122
- name: gubitz-partner
group_id: 123
- name: sysadm
group_id: 1050
- name: install
group_id: 1070
samba_user:
- name: chris
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: test
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: buero
groups:
- verwaltung
- intern
- hoffmann-elberling
password: 'buero2011'
- name: axel
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'ah-kiel.2018'
- name: bjoern
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'bjoern2011'
- name: gubitz
groups:
- intern
- verwaltung
- gubitz-partner
password: '20gubitz12'
- name: schaar
groups:
- intern
- verwaltung
- gubitz-partner
password: '20schaar12'
- name: molkentin
groups:
- intern
- verwaltung
- gubitz-partner
password: 20molkentin12
- name: buerooben
groups:
- intern
- verwaltung
- hoffmann-elberling
password: 'buero2013'
- name: buchholz
groups:
- buero
- intern
- verwaltung
password: '20-buch_holz-20'
- name: kiel-nb1
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book1-20'
- name: kiel-nb2
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: '20-note%book2-20'
- name: schmidt
groups:
- intern
- verwaltung
- gubitz-partner
password: '20-schmidt_21%'
- name: simone.schnoenmehl
groups:
- intern
- gubitz-partner
password: '20-simone-schnoenmehl-22%'
- name: heckert
groups:
- intern
- gubitz-partner
password: '0-heckert.22%'
- name: hh-lucke
groups: []
password: 'Ole20Steffen_17'
- name: hh-kanzlei
groups: []
password: '20-HH_18-Kanzlei'
- name: hh-jaenicke
groups: []
password: '20-th.jaenicke_%20'
- name: hh-pueschel
groups: []
password: '20-HH_caro.pueschel-%21'
- name: hh-kell
groups: []
password: '20-an.kell-%24'
- name: hh-neumann
groups: []
password: '20.neu-mann_%24'
# password: Iar-zrq4wG.2
- name: winadm
groups:
- sysadm
- install
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31326630303038396164656266623339353031336434376531383133643266656133363165316532
6364343131656235313432356230646337373362343938660a393031323561326438653935393632
34373464313666343433626635656261323933353631393632626166643738386333636639303334
3661613165626230640a306236363161356239306232633565336131303066383464626164636133
3038
- name: hh-stork
groups: []
password: '20-ni-na.stork_%24'
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
# password: 9xFXkdPR_2
- name: sysadm
groups:
- buero
- install
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
35323634653231353634343232326436393435386366396364373766306135636536323165656362
3138366263316231333038343930313134333565373566640a363932616535343538376333313335
64326566643163366533356464326339653236636562363336633738656631626433306661323835
3337663865333636660a626131366161636433613561613235333831653733383365623564313431
6439
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
samba_shares:
- name: Buero
path: /data/samba/shares/Buero
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Verwaltung
path: /data/samba/shares/Verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Scans_schnell
path: /data/samba/shares/Scans_schnell
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Hoffmann-Elberling
path: /data/samba/shares/Hoffmann-Elberling
group_valid_users: hoffmann-elberling
group_write_list: hoffmann-elberling
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Partner
path: /data/samba/shares/Gubitz-Partner
group_valid_users: gubitz-partner
group_write_list: gubitz-partner
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Gubitz-Backup
path: /data/samba/non-backup-shares/Gubitz-Backup
group_valid_users: gubitz
group_write_list: gubitz
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Install
path: /data/samba/shares/install
group_valid_users: install
group_write_list: install
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup
group_valid_users: sysadm
group_write_list: sysadm
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ---
# - This share will be written by windows schedulescript 'backup-advoware.bat'
# ---
- name: Advoware-Backup
comment: Advoware-Backup (only read) on Fileserver
path: /data/samba/shares/Advoware-Backup
group_valid_users: back
group_write_list: back
file_create_mask: !!str 664
dir_create_mask: !!str 2775
guest_ok: !!str yes
vfs_object_recycle: false
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

109
host_vars/file-ah.kanzlei-kiel.netz.yml
View File

@@ -24,7 +24,7 @@ network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp33s0
headline: br0 - bridge over device eno1np0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -32,7 +32,7 @@ network_interfaces:
family: inet
method: static
hwaddress: 0c:c4:7a:ea:dd:56
hwaddress: 7c:c2:55:c0:26:74
description:
address: 192.168.100.10
netmask: 24
@@ -57,22 +57,22 @@ network_interfaces:
# maxwait:
# waitport:
bridge:
ports: enp33s0 # for mor devices support a blank separated list
ports: eno1np0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up:
- !!str "ip link set dev enp33s0 up" # pre-up script lines
pre-up:
- !!str "ip link set dev eno1np0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
@@ -238,6 +238,41 @@ default_user:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check if postfix mailservice is running. Restart service if needed."
minute: "*/5"
hour: "*"
job: /root/bin/monitoring/check_postfix.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors."
minute: "*/30"
hour: "*"
job: /root/bin/postfix/check-postfix-fatal-errors.sh
- name: "Clean up Samba Trash Dirs"
minute: "02"
hour: "23"
job: /root/bin/samba/clean_samba_trash.sh
- name: "Set (group and access) Permissons for Samba shares"
minute: "14"
hour: "23"
job: /root/bin/samba/set_permissions_samba_shares.sh
- name: "Check if ntpsec is running. Restart service if needed."
minute: "*/6"
hour: "*"
job: /root/bin/monitoring/check_ntpsec_service.sh
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
#cron_user_special_time_entries:
#
# - name: "Restart DNS Cache service 'systemd-resolved'"
@@ -316,10 +351,11 @@ samba_user:
- name: chris
groups:
- buero
- intern
- verwaltung
- gubitz-partner
- hoffmann-elberling
- install
- intern
- verwaltung
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
@@ -434,8 +470,30 @@ samba_user:
- name: heckert
groups:
- intern
- verwaltung
- gubitz-partner
password: '0-heckert.22%'
password: '20-heckert.22%'
- name: schultheis
groups:
- intern
- verwaltung
- gubitz-partner
password: '20.loui-sa/schultheis-26!'
- name: weber
groups:
- intern
- verwaltung
- gubitz-partner
password: '20.ni-klas.weber_26!'
- name: malte
groups:
- intern
- verwaltung
- gubitz-partner
password: '20.mal-te/26%'
- name: hh-lucke
groups: []
@@ -478,15 +536,16 @@ samba_user:
groups: []
password: '20-ni-na.stork_%24'
# password: y2F.E-9q-54f
- name: back
groups: []
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
66613731346331613961353639616537656432373562653939623864613431663637643630613131
3264633732633962663330646436623532353834646463330a303037303965343762623332633661
34313165393831396366393162613166396465383264313831386430313535363832383437373064
6231626664316265660a653862386231333465623663633266616663326139356638613034303264
6131
# password: 9xFXkdPR_2
- name: sysadm
@@ -533,7 +592,7 @@ samba_shares:
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: Scans_schnell
- name: Scans_schnell
path: /data/samba/shares/Scans_schnell
group_valid_users: intern
group_write_list: intern
@@ -582,9 +641,23 @@ samba_shares:
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: WinServer2016-Backup
comment: WinServer2016-Backup on Fileserver
path: /data/samba/shares/WinServer2016-Backup
# - name: WinServer2016-Backup
# comment: WinServer2016-Backup on Fileserver
# path: /data/samba/shares/WinServer2016-Backup
# group_valid_users: sysadm
# group_write_list: sysadm
# file_create_mask: !!str 664
# dir_create_mask: !!str 2775
# guest_ok: !!str yes
# vfs_object_recycle: false
# ---
# - This share will be written by Windows Server 2016 configured at
# - "Windows Zubehör" -> "Windows Server-Sicherung"
# ---
- name: Windows-Server-2025-Backup
comment: Windows-Server-2025-Backup on Fileserver
path: /data/samba/shares/Windows-Server-2025-Backup
group_valid_users: sysadm
group_write_list: sysadm
file_create_mask: !!str 664

27
host_vars/file-blkr.blkr.netz.yml
View File

@@ -287,6 +287,7 @@ samba_user:
- buero
- verwaltung
password: 'Mq9R.WhKtP4v'
- name: chris
groups:
- buero
@@ -298,77 +299,99 @@ samba_user:
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: josephine
groups:
- buero
- verwaltung
password: 'H7jnJ/m9W-bf'
- name: julius
groups:
- buero
- verwaltung
password: 'fx9j/3X-thPr'
- name: julius-e
groups:
- buero
- verwaltung
password: '2/kcx3jju-tr'
- name: leonie
groups:
- buero
- verwaltung
password: '6.4aVX7rQ-9H'
- name: philip
groups:
- buero
- verwaltung
password: 'fN%749Psv_NR'
- name: buero1
groups:
- buero
password: 'Mfr!7tK+d49C'
- name: buero2
groups:
- buero
password: 'gW-wg3Pttf4/'
- name: buero3
groups:
- buero
password: 'Qc-WyMhJ/3-2'
- name: referendariat
groups:
- buero
password: '4/zCNXnVF7+i'
- name: refa
groups:
- buero
password: 'Mehringdamm40'
- name: refi
groups:
- buero
password: '3.43-vhs7VoT'
- name: ref1
groups:
- buero
password: '???'
- name: sebastian
groups:
- buero
- verwaltung
password: 'bhNC.P5eTy-2'
- name: buero-05
groups:
- buero
password: '5/SXbV-M3vmQ'
- name: buero-06
groups:
- buero
password: 'N-ba2R+i/2eM'
- name: lap-01
groups:
- buero
password: 'X_2yYs2AIo.E'
- name: clara
- name: notfall
groups:
- buero
password: '52uT-/vP.ZpX'
- verwaltung
password: 'q.Y-q/3r9j.E'
# - name: lap-02
# groups:

39
host_vars/file-dissens.dissens.netz.yml
View File

@@ -414,11 +414,11 @@ samba_user:
- projekte
password: '20.j0hanna.ru3kgau3r+24!'
- name: laura.sasse
groups:
- projekte
- team
password: '20/l4ur4-s4sse-24?'
# - name: laura.sasse
# groups:
# - projekte
# - team
# password: '20/l4ur4-s4sse-24?'
- name: lino.koehler
groups:
@@ -458,10 +458,10 @@ samba_user:
- verwaltung
password: '20/r4lph-kl3sch.24-'
- name: rositsa.mahdi
groups:
- projekte
password: '20.ros1tsa-mahd1+24+'
# - name: rositsa.mahdi
# groups:
# - projekte
# password: '20.ros1tsa-mahd1+24+'
- name: selma.albrecht
groups:
@@ -486,11 +486,11 @@ samba_user:
- team
password: '20-sc4n.25!'
- name: sebastian.scheele
groups:
- projekte
- team
password: '20/s3-bast1an+sch33l3_24-'
# - name: sebastian.scheele
# groups:
# - projekte
# - team
# password: '20/s3-bast1an+sch33l3_24-'
- name: simon.krugmann
groups:
@@ -525,14 +525,11 @@ samba_user:
base_home: /data/home
# remove_samba_users:
# - name: name1
# - name: name2
#
remove_samba_users: []
#remove_samba_users:
# - name: elenor.faellgrem
# - name: maiken.schiele
#remove_samba_users:
# - name: sebastian.scheele
# - name: rositsa.mahdi
# - name: laura.sasse
samba_shares:

768
host_vars/file-km-neu.anw-km.netz.yml Normal file
View File

@@ -0,0 +1,768 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device eno1np0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
description:
address: 192.168.122.210
netmask: 24
gateway: 192.168.122.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: eno1np0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# inline hook scripts
pre-up:
- !!str "ip link set dev eno1np0 up" # pre-up script lines
up: [] #up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.122.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- anw-km.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 172.16.122.254
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: advoware
user_id: 1115
group_id: 1115
group: advoware
home: / data/home/advoware
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: a-jur
user_id: 1110
group_id: 1110
group: a-jur
home: / data/home/a-jur
password: $y$j9T$wuQkVnvJxMIy/2Hvmqm2w/$AlMLFmglx764uNSekaFJ3inN59jiDc8.4F2vhUybF22
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
home: /home/back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- name: borg
user_id: 1065
group_id: 1065
group: borg
home: /home/borg
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsqkTV7RiYPljwlP/MZA+MBeTgiwZI7oCAD77Ujpm1V root@file-km'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOan+hwlA8B3mk82tsvL1LGlejrF5pqT2J3POrg/QJLX root@gw-km'
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
sudoers_file_user_back_mount_privileges:
- 'ALL=(root) NOPASSWD: /usr/bin/mount'
- 'ALL=(root) NOPASSWD: /usr/bin/umount'
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.122.210
samba_server_cidr_prefix: 24
samba_workgroup: WORKGROUP
samba_netbios_name: FILE-KM
samba_server_min_protocol: !!str NT1
samba_groups:
- name: kanzlei
group_id: 1100
- name: a-jur
group_id: 1110
- name: advoware
group_id: 1115
- name: intern
group_id: 1120
- name: aulmann
group_id: 1130
- name: howe
group_id: 1140
- name: stahmann
group_id: 1150
- name: traine
group_id: 1160
- name: public
group_id: 1170
- name: alle
group_id: 1180
samba_user:
- name: advoware
groups:
- advoware
password: '9WNRbc49m3'
- name: a-jur
groups:
- a-jur
- alle
- intern
- kanzlei
password: 'a-jur'
- name: andrea
groups:
- advoware
- aulmann
- howe
- stahmann
- traine
- public
password: 'fXc3bmK9gj'
- name: andreas
groups:
- a-jur
- advoware
- alle
- kanzlei
password: 'YKQRa.M9-6rL'
- name: aphex2
groups:
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'J3KMRprK9H'
- name: berenice
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'berenice'
- name: beuster
groups:
- advoware
- aulmann
- howe
- stahmann
- traine
- public
- alle
password: 'zlm17Kx'
- name: buero
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero'
- name: buero2
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero2'
- name: buero3
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero3'
- name: buero4
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero4'
- name: buero7
groups:
- advoware
- kanzlei
- a-jur
- alle
password: 'buero7'
- name: chris
groups:
- a-jur
- advoware
- alle
- aulmann
- intern
- kanzlei
- stahmann
- traine
- public
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30383265366434633965346530666535363761396165393434643665393137353765653739636364
6330623334353763613065343336306434376335646666380a363030363335656261656236636562
63663763616630383264303039336562626537366634303636356237323630666635356130383165
3837613337343533650a663061366230353531316535656433643162353063383534323833323138
3430
- name: christina
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'qvR7zX4Lhs'
- name: federico
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'zHfj9g3NcC'
# - name: gerhard
# groups:
# - advoware
# - alle
# - aulmann
# - howe
# - stahmann
# - traine
# - public
# password: 'bHdhzWnTj9'
- name: ho-st1
groups:
- alle
- howe
- stahmann
password: '44-Ro-440'
# - name: howe-staff-1
# groups:
# - advoware
# - alle
# - aulmann
# - howe
# password: ''
- name: irina
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'W9NKv39pXW'
- name: jessica
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'bV3pjPtjkR'
# - name: laura
# groups:
# - alle
# - aulmann
# - howe
# - stahmann
# - traine
# password: '99-Hamburg-990'
- name: lenovo3
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'fndvLmrt7W'
- name: lenovo4
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'tpCMmTKj7H'
- name: lenovo5
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: 'L5Hannover51'
- name: lenovo6
groups:
- advoware
- alle
- aulmann
- howe
- stahmann
- traine
password: '66koeln66'
- name: rm-buero1
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rm-buero2
groups:
- advoware
- alle
- a-jur
- kanzlei
password: ''
- name: rolf
groups:
- alle
- aulmann
- howe
- stahmann
- traine
- public
password: '4xNVNFXgP4'
- name: sysadm
groups:
- a-jur
- advoware
- alle
- aulmann
- intern
- kanzlei
- stahmann
- traine
- public
password: 'Ax_GSHh5'
- name: thomas
groups:
- advoware
- alle
- traine
password: '55-tho-mas-550'
- name: Tresen
groups:
- a-jur
- advoware
- alle
- kanzlei
- howe
- stahmann
- traine
- public
password: 'maltzwo2'
- name: winadm
groups:
- a-jur
- advoware
- alle
- intern
- kanzlei
- public
password: 'Ax_GSHh5'
base_home: /data/home
remove_samba_users:
- name: howe-staff-1
- name: gerhard
- name: laura
#remove_samba_users: []
#remove_samba_users:
# - name: evren
samba_shares:
- name: a-jur
comment: a-jur Dokumente
path: /data/samba/a-jur
group_valid_users: a-jur
group_write_list: a-jur
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: kanzlei
comment: Kanzlei auf Fileserver
path: /data/samba/kanzlei
group_valid_users: kanzlei
group_write_list: kanzlei
file_create_mask: !!str 664
dir_create_mask: !!str 2775
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: install
comment: Install auf Fileserver
path: /data/samba/no-backup-shares/install
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: false
- name: aulmann
comment: Aulmann auf Fileserver
path: /data/samba/Aulmann
group_valid_users: aulmann
group_write_list: aulmann
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: howe
comment: Howe auf Fileserver
path: /data/samba/Howe
group_valid_users: howe
group_write_list: howe
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: stahmann
comment: Stahmann auf Fileserver
path: /data/samba/Stahmann
group_valid_users: stahmann
group_write_list: stahmann
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: traine
comment: Traine auf Fileserver
path: /data/samba/Traine
group_valid_users: traine
group_write_list: traine
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: public
comment: Public auf Fileserver
path: /data/samba/public
group_valid_users: public
group_write_list: public
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: Advoware-Schriftverkehr
comment: Advoware Dokumente
path: /data/samba/Advoware-Schriftverkehr
group_valid_users: advoware
group_write_list: advoware
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
- name: Advoware-Backup
comment: Advoware Dokumente
path: /data/samba/Advoware-Backup
group_valid_users: intern
group_write_list: intern
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: false
- name: alle
comment: Alle auf Fileserver
path: /data/samba/Alle
group_valid_users: alle
group_write_list: alle
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
vfs_object_recycle_is_visible: true
# - name: web
# comment: Web auf Fileserver
# path: /data/samba/Web
# group_valid_users: web
# group_write_list: web
# file_create_mask: !!str 660
# dir_create_mask: !!str 2770
# vfs_object_recycle: true
# recycle_path: '@Recycle'
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

7
host_vars/g.mx.oopen.de.yml
View File

@@ -151,13 +151,6 @@ resolved_fallback_nameserver:
copy_plain_files:
# /root/bin/monitoring
#
- name: monitoring_check_webservice_load.conf
src_path: g.mx/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf

43
host_vars/ga-al-gw.oopen.de.yml
View File

@@ -347,6 +347,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-AL
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

52
host_vars/ga-gh-gw.oopen.de.yml
View File

@@ -91,50 +91,50 @@ network_interfaces:
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: "*/15"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: "*/15"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: "*/30"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: "0-59/2"
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: "09"
hour: "3"
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-NH
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-GH
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

10
host_vars/ga-nh-gw.oopen.de.yml
View File

@@ -139,16 +139,6 @@ cron_user_entries:
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

43
host_vars/ga-st-gw.ga.netz.yml
View File

@@ -400,6 +400,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh GA-Schloss
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

6
host_vars/ga-st-mail.ga.netz.yml
View File

@@ -214,10 +214,6 @@ copy_plain_files:
src_path: ga-st-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf
@@ -265,6 +261,8 @@ ipv4_address: 192.168.11.2
admin_email: it@gemeinschaft-altenschlirf.org
is_relay_host: !!str "false"
support_dmarc_reporting: !!str "false"
db_in_use: !!str "true"
# postfix_db_type
#

43
host_vars/gw-123.oopen.de.yml
View File

@@ -115,6 +115,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh 123
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

43
host_vars/gw-ah.oopen.de.yml
View File

@@ -110,6 +110,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh Kanzlei-Kiel
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

42
host_vars/gw-akb.oopen.de.yml
View File

@@ -115,6 +115,48 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh AKB
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

45
host_vars/gw-b3.oopen.de.yml
View File

@@ -115,6 +115,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh B3-Bornim
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
@@ -123,6 +166,8 @@ cron_user_special_time_entries:
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---

48
host_vars/gw-blkr.oopen.de.yml
View File

@@ -83,55 +83,49 @@ network_interfaces:
cron_user_entries:
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check Postfix E-Mail LOG file for 'fatal' errors"
minute: '17'
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/15'
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/30'
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/2'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh BLKR
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

50
host_vars/gw-campus.oopen.de.yml
View File

@@ -129,6 +129,56 @@ network_interfaces:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh CAMPUS
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/sshd.yml

44
host_vars/gw-ckubu.local.netz.yml
View File

@@ -106,6 +106,50 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh CKUBU
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

43
host_vars/gw-d11.oopen.de.yml
View File

@@ -115,6 +115,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh WF
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

43
host_vars/gw-dissens.oopen.de.yml
View File

@@ -203,6 +203,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh DISSENS
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

42
host_vars/gw-ebs.oopen.de.yml
View File

@@ -156,6 +156,48 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh EBS
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

46
host_vars/gw-elster.oopen.de.yml
View File

@@ -83,50 +83,50 @@ network_interfaces:
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/15'
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/30'
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/2'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh ELSTER
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

43
host_vars/gw-fhxb.oopen.de.yml
View File

@@ -160,6 +160,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh FHXB
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

47
host_vars/gw-flr.oopen.de.yml
View File

@@ -79,53 +79,52 @@ network_interfaces:
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/15'
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/30'
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/2'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh FLR-BRB
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

51
host_vars/gw-fm.oopen.de.yml
View File

@@ -180,54 +180,49 @@ resolved_fallback_nameserver:
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/15'
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/30'
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/2'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
# - name: "Speedtest"
# minute: '17'
# hour: '*0-8'
# job: /root/bin/admin-stuff/speedtest.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh FM
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

48
host_vars/gw-irights.oopen.de.yml
View File

@@ -78,50 +78,50 @@ network_interfaces:
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/15'
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/30'
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/2'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh FLR-BRB
job: /root/bin/manage-gw-config/copy_gateway-config.sh iRights
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

45
host_vars/gw-km.oopen.de.yml
View File

@@ -69,50 +69,49 @@ network_interfaces:
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/15'
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/30'
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/10'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/2'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh ANW-KM
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
#cron_user_special_time_entries: []
cron_user_special_time_entries:
- name: "Check if Postfix Service is running at boot time"
special_time: reboot
job: "sleep 7 ; /root/bin/monitoring/check_postfix.sh"
insertafter: PATH
- name: "Restart Systemd's resolved at boottime."
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"

364
host_vars/gw-mbr.oopen.de.yml Normal file
View File

@@ -0,0 +1,364 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: enp0s20f0
headline: enp0s20f0 - Uplink DSL via Fritz!Box
auto: true
family: inet
method: static
address: 172.16.112.1/24
gateway: 172.16.112.254
- device: enp0s20f1
headline: enp0s20f1 - LAN
auto: true
family: inet
method: static
address: 192.168.112.254/24
- device: enp0s20f1:ns
headline: enp0s20f1:ns - Alias on enp0s20f1 (Nameserver)
auto: true
family: inet
method: static
address: 192.168.112.1/32
- device: enp0s20f1:wlan
headline: enp0s20f1:ns - Alias on enp0s20f1 (WLAN)
auto: false
family: inet
method: static
address: 192.168.113.254/24
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
sshd_hostkeyalgorithms:
- ssh-ed25519
- ssh-ed25519-cert-v01@openssh.com
- rsa-sha2-256
- rsa-sha2-512
- ecdsa-sha2-nistp256
- rsa-sha2-256-cert-v01@openssh.com
- rsa-sha2-512-cert-v01@openssh.com
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/users
# ---
default_user:
- name: chris
password: $y$j9T$JPKlR6kIk7GJStSdmAQWq/$e1vJER6KL/dk1diFNtC.COw9lu2uT6ZdrUgGcNVb912
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: sysadm
user_id: 1050
group_id: 1050
group: sysadm
password: $y$j9T$sHxqz7NyYdn38ZegSbewO.$PPHR0n.XeMcS3AQ9KybllBT.2hxpYlQ7AiVhxHgUOX8
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: localadmin
user_id: 1051
group_id: 1051
group: localadmin
home: /home/localadmin
password: $y$j9T$1WH8G2UkuN1jjp4QLuoeC0$dXpOnJUfMMAqAXlwN8XD0pq78r.a4UZOgt3LY4afxy/
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- name: back
user_id: 1060
group_id: 1060
group: back
password: $y$j9T$WmitGB98lhPLJ39Iy4YfH.$irv0LP1bB5ImQKBUr1acEif6Ed6zDu6gLQuGQd/i5s0
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd0AwTHbDBK4Dgs+IZWmtnDBjoVIogOUvkLIYvsff1y root@backup.open.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINj0nCdFOZm51AVCfPbZ22QROIEiboXZ7RamHvM2E9IM root@backup.warenform.de'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQMCGCyIvs5hoNDoTIkKvKmEbxLf+uCYI1vx//ZQYY root@o26-backup'
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 127.0.0.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- mbr-bln.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh MBR
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 15 ; /bin/systemctl restart ntpsec"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
insert_ssh_keypair_backup_server: false
ssh_keypair_backup_server:
- name: backup
backup_user: back
priv_key_src: root/.ssh/id_rsa.backup.oopen.de
priv_key_dest: /root/.ssh/id_rsa
pub_key_src: root/.ssh/id_rsa.backup.oopen.de.pub
pub_key_dest: /root/.ssh/id_rsa.pub
insert_keypair_backup_client: true
ssh_keypair_backup_client:
- name: backup
priv_key_src: root/.ssh/id_ed25519.oopen-server
priv_key_dest: /root/.ssh/id_ed25519
pub_key_src: root/.ssh/id_ed25519.oopen-server.pub
pub_key_dest: /root/.ssh/id_ed25519.pub
target: backup.oopen.de
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
install_bind_packages: true
bind9_gateway_acl:
- local-net:
name: local-net
entries:
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 10.0.0.0/8
- fc00::/7
- fe80::/10
- ::1/128
bind9_gateway_listen_on_v6:
- none
bind9_gateway_listen_on:
- any
#bind9_gateway_allow_transfer: {}
bind9_transfer_source: !!str "192.168.112.1"
bind9_notify_source: !!str "192.168.112.1"
#bind9_gateway_allow_query: {}
bind9_gateway_allow_query:
- local-net
#bind9_gateway_allow_query_cache: {}
bind9_gateway_allow_query_cache:
- local-net
bind9_gateway_recursion: !!str "yes"
#bind9_gateway_allow_recursion: {}
bind9_gateway_allow_recursion:
- local-net
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-gateway
repo: https://git.oopen.de/firewall/ipt-gateway
dest: /usr/local/src/ipt-gateway
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

43
host_vars/gw-opp.oopen.de.yml
View File

@@ -160,6 +160,49 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh OPP
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

42
host_vars/gw-spr.oopen.de.yml
View File

@@ -115,6 +115,48 @@ resolved_fallback_nameserver:
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_entries:
- name: "Check forwarding ( /proc/sys/net/ipv4/ip_forward contains \"1\" )"
minute: '0-59/3'
hour: '*'
job: /root/bin/monitoring/check_forwarding.sh
- name: "Check if nameservice (bind) is running?"
minute: '*/23'
hour: '*'
job: /root/bin/monitoring/check_dns.sh
- name: "Check if Resolver (systemd-resolved) is up and running?"
minute: '*/23'
hour: '*'
job: bin/monitoring/check_systemd_resolved.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/17'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if SSH service is up and running?"
minute: '*/13'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if OpenVPN service is up and running?"
minute: '*/29'
hour: '*'
job: /root/bin/monitoring/check_vpn.sh
- name: "Copy gateway configuration"
minute: '09'
hour: '3'
job: /root/bin/manage-gw-config/copy_gateway-config.sh SPR-BE
- name: "Speedtest"
minute: 13
hour: 0-8
job: /root/bin/admin-stuff/speedtest.sh
cron_user_special_time_entries:
- name: "Restart NTP service 'ntpsec'"

4
host_vars/lists.mx.warenform.de.yml
View File

@@ -148,10 +148,6 @@ root_ssh_keypair:
copy_plain_files:
- name: monitoring_check_webservice_load.conf
src_path: lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
- name: postfix_create_opendkim_key.conf
src_path: lists.mx.warenform/root/bin/postfix/conf/create_opendkim_key.conf
dest_path: /root/bin/postfix/conf/create_opendkim_key.conf

4
host_vars/mail-neu.cadus.org.yml
View File

@@ -89,10 +89,6 @@ copy_plain_files:
src_path: mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf

32
host_vars/mail.cadus.org.yml
View File

@@ -159,10 +159,6 @@ copy_plain_files:
src_path: mail.cadus/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf
@@ -246,21 +242,35 @@ si_authorisation_signature: abb4ec6b194639f3d123154f1b971843a3b8751d8c1bcdc7d07e
website_name_postfixadmin: adm.cadus.org
email_welcome_message: "\n
Hallo,\n
Hello,
Ihre/Deine neue E-Mail Adresse ist eingerichtet.\n
Your email address has been set up.
Cadus e.V. - Redefine Global Solidarity\n
--\n
Cadus e.V.\n
Am Sudhaus 2\n
D-12053 Berlin\n
Holzmarktstr. 25\n
D-10243 Berlin\n
admin@cadus.org\n
"
# install_update_dovecot.conf
#email_welcome_message: "\n
#Hallo,\n
#
#Ihre/Deine neue E-Mail Adresse ist eingerichtet.\n
#
#Cadus e.V. - Redefine Global Solidarity\n
#
#--\n
#Cadus e.V.\n
#Am Sudhaus 2\n
#D-12053 Berlin\n
#admin@cadus.org\n
#"
# install_update_dovecot.conf
dovecot_msg_language: en
dovecot_from_address: "Administrator E-Mail <admin@cadus.org>"
dovecot_reply_to: "admin@cadus.org"
webmailer_address: "https://webmail.cadus.org"
@@ -268,8 +278,8 @@ salutation: "Cadus e.V. - Redefine Global Solidarity\n
--\n
Cadus e.V.\n
Am Sudhaus 2\n
D-12053 Berlin\n
Holzmarktstr. 25\n
D-10243 Berlin\n
admin@cadus.org\n
"

4
host_vars/mail.faire-mobilitaet.de.yml
View File

@@ -159,10 +159,6 @@ copy_plain_files:
src_path: mail.faire-mobilitaet/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf

4
host_vars/mx.warenform.de.yml
View File

@@ -154,10 +154,6 @@ copy_plain_files:
src_path: mx.warenform/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_create_opendkim_key.conf

9
host_vars/o12.oopen.de.yml
View File

@@ -240,11 +240,6 @@ cron_user_special_time_entries:
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
insertafter: PATH
cron_user_entries:
@@ -273,8 +268,8 @@ cron_user_entries:
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
- name: "Check if all autostart LX-Container are running.?"
minute: '*/10'
- name: "Check if all autostart LX-Container are running."
minute: '*/9'
hour: '*'
job: /root/bin/LXC/boot-autostart-lx-container.sh

12
host_vars/o13-mail.oopen.de.yml
View File

@@ -154,10 +154,6 @@ copy_plain_files:
src_path: o13-mail/root/bin/monitoring/conf/check_cert_for_dovecot.conf
dest_path: /root/bin/monitoring/conf/check_cert_for_dovecot.conf
- name: monitoring_check_webservice_load.conf
src_path: o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
dest_path: /root/bin/monitoring/conf/check_webservice_load.conf
# /root/bin/postfix
#
- name: postfix_check-postfix-fatal-errors.conf
@@ -167,14 +163,6 @@ copy_plain_files:
copy_plain_files_postfwd_host_specific:
- name: header_checks.pcre
src_path: o13-mail/etc/postfix/header_checks.pcre
dest_path: /etc/postfix/header_checks.pcre
- name: postfwd.wl-hosts
src_path: o13-mail/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-hosts
src_path: o13-mail/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts

4
host_vars/o19.oopen.de.yml
View File

@@ -143,6 +143,10 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- systemd-cryptsetup
# ---
# vars used by roles/common/tasks/systemd-resolved.yml

5
host_vars/o25.oopen.de.yml
View File

@@ -395,6 +395,11 @@ cron_user_entries:
hour: '6'
job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
- name: "Check if Check if all autostart LX-Container are running."
minute: '*/9'
hour: '*'
job: /root/bin/LXC/boot-autostart-lx-container.sh
# ---
# vars used by roles/common/tasks/users.yml

4
host_vars/o29.oopen.de.yml
View File

@@ -146,6 +146,10 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- systemd-cryptsetup
# ---
# vars used by roles/common/tasks/systemd-resolved.yml

4
host_vars/o31.oopen.de.yml
View File

@@ -148,6 +148,10 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- systemd-cryptsetup
# ---
# vars used by roles/common/tasks/systemd-resolved.yml

4
host_vars/o38.oopen.de.yml
View File

@@ -143,6 +143,10 @@ network_interfaces:
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- systemd-cryptsetup
# ---
# vars used by roles/common/tasks/systemd-resolved.yml

330
host_vars/o44.oopen.de.yml Normal file
View File

@@ -0,0 +1,330 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: br0
# use only once per device (for the first device entry)
headline: br0 - bridge over device enp6s0
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
hwaddress: 9c:6b:00:0c:03:7e
description:
address: 148.251.194.59
netmask: 26
gateway: 148.251.194.1
metric:
pointopoint:
mtu:
scope:
# additional user by dhcp method
#
hostname:
leasehours:
leasetime:
vendor:
client:
# additional used by bootp method
#
bootfile:
server:
hwaddr:
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
# ** MOVED TO systemd-resolved
#
nameservers:
search:
# optional bridge parameters bridge: {}
# bridge:
# ports:
# stp:
# fd:
# maxwait:
# waitport:
bridge:
ports: enp6s0 # for mor devices support a blank separated list
stp: !!str off
fd: 5
hello: 2
maxage: 12
# optional bonding parameters bond: {}
# bond:
# master
# primary
# slave
# method:
# miimon:
# lacp-rate:
# ad-select-rate:
# master:
# slaves:
bond: {}
# optional vlan settings | vlan: {}
# vlan: {}
# raw-device: 'eth0'
vlan: {}
# inline hook scripts
pre-up: [] # pre-up script lines
up:
- !!str "route add -net 148.251.194.0 netmask 255.255.255.192 gw 148.251.194.1 dev br0" # up script lines
post-up: [] # post-up script lines (alias for up)
pre-down: [] # pre-down script lines (alias for down)
down: [] # down script lines
post-down: [] # post-down script lines
- device: br0
family: inet6
method: static
address: '2a01:4f8:211:f89::2'
netmask: 64
gateway: 'fe80::1'
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
apt_install_extra_pkgs: true
apt_extra_pkgs:
- systemd-cryptsetup
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 185.12.64.1
- 2a01:4ff:ff00::add:2
- 185.12.64.2
- 2a01:4ff:ff00::add:1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- oopen.de
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 194.150.168.168
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_env_entries:
- name: PATH
job: /root/bin/admin-stuff;/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
- name: SHELL
job: /bin/bash
insertafter: PATH
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 5 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
- name: "Check if postfix mailservice is running. Restart service if needed."
special_time: reboot
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
insertafter: PATH
- name: "Restart NTP service 'ntpsec'"
special_time: reboot
job: "sleep 2 ; /bin/systemctl restart ntpsec > /dev/null 2>&1"
insertafter: PATH
cron_user_entries:
- name: "Check if SSH service is running. Restart service if needed."
minute: '*/5'
hour: '*'
job: /root/bin/monitoring/check_ssh.sh
- name: "Check if Postfix Mailservice is up and running?"
minute: '*/15'
hour: '*'
job: /root/bin/monitoring/check_postfix.sh
- name: "Check if NTP service 'ntpsec' is up and running?"
minute: '*/30'
hour: '*'
job: /root/bin/monitoring/check_ntpsec_service.sh > /dev/null 2>&1
- name: "Check hard disc usage."
minute: '43'
hour: '6'
job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
# ---
# vars used by roles/common/tasks/users.yml
# ---
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
git_firewall_repository:
name: ipt-server
repo: https://git.oopen.de/firewall/ipt-server
dest: /usr/local/src/ipt-server
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

8
host_vars/rage.so36.net.yml
View File

@@ -147,14 +147,6 @@ copy_plain_files:
copy_plain_files_postfwd_host_specific:
- name: header_checks.pcre
src_path: rage/etc/postfix/header_checks.pcre
dest_path: /etc/postfix/header_checks.pcre
- name: postfwd.wl-hosts
src_path: rage/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts
- name: postfwd.wl-hosts
src_path: rage/etc/postfix/postfwd.wl-hosts
dest_path: /etc/postfix/postfwd.wl-hosts

10
host_vars/server22.warenform.de.yml
View File

@@ -231,11 +231,6 @@ cron_user_special_time_entries:
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
insertafter: PATH
cron_user_entries:
@@ -264,6 +259,11 @@ cron_user_entries:
hour: '6'
job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
- name: "Check if all autostart LX-Container are running."
minute: '*/9'
hour: '*'
job: /root/bin/LXC/boot-autostart-lx-container.sh
# ---
# vars used by roles/common/tasks/users.yml

10
host_vars/server25.warenform.de.yml
View File

@@ -239,11 +239,6 @@ cron_user_special_time_entries:
job: "sleep 10 ; /root/bin/monitoring/check_postfix.sh > /dev/null 2>&1"
insertafter: PATH
- name: "Check if Check if all autostart LX-Container are running."
special_time: reboot
job: "sleep 120 ; /root/bin/LXC/boot-autostart-lx-container.sh"
insertafter: PATH
cron_user_entries:
@@ -272,6 +267,11 @@ cron_user_entries:
hour: '6'
job: /root/bin/admin-stuff/check-disc-usage.sh -c 85
- name: "Check if all autostart LX-Container are running."
minute: '*/9'
hour: '*'
job: /root/bin/LXC/boot-autostart-lx-container.sh
# ---
# vars used by roles/common/tasks/users.yml

488
host_vars/zapata-alt.opp.netz.yml Normal file
View File

@@ -0,0 +1,488 @@
---
# ---
# vars used by roles/network_interfaces
# ---
# If true, all additional files in /etc/network/interfaces/interfaces.d/ are deleted
network_manage_devices: True
# Should the interfaces be reloaded after config change?
network_interface_reload: False
network_interface_path: /etc/network/interfaces.d
network_interface_required_packages:
- vlan
- bridge-utils
- ifmetric
- ifupdown
- ifenslave
network_interfaces:
- device: eno1
# use only once per device (for the first device entry)
headline: eno1 - The primary network interface
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
auto: true
family: inet
method: static
description:
address: 192.168.62.21
netmask: 24
gateway: 192.168.62.254
# optional dns settings nameservers: []
#
# nameservers:
# - 194.150.168.168 # dns.as250.net
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
#nameservers:
# - 192.168.62.1
#search: opp.netz
# ---
# vars used by roles/ansible_dependencies
# ---
# ---
# vars used by roles/ansible_user
# ---
# ---
# vars used by roles/common/tasks/basic.yml
# ---
# ---
# vars used by roles/common/tasks/sshd.yml
# ---
# ---
# vars used by roles/common/tasks/apt.yml
# ---
# ---
# vars used by roles/common/tasks/systemd-resolved.yml
# ---
systemd_resolved: true
# CyberGhost - Schnelle Verbindung mit Keine-Logs-Datenschutzrichtlinie
# Primäre DNS-Adresse: 38.132.106.139
# Sekundäre DNS-Adresse: 194.187.251.67
#
# Cloudflare (USA) Bester kostenloser DNS-Server für Gaming mit zuverlässigen Verbindungen
# primäre DNS-Adresse
# IPv4: 1.1.1.1
# IPv6: 2606:4700:4700::1111
# sekundäre DNS-Adresse
# IPv4: 1.0.0.1
# IPv6: 2606:4700:4700::1001
#
# Google (USA) Public DNS - Großartige Kombination aus Geschwindigkeit und Sicherheit
# primäre DNS-Adresse
# IPv4: 8.8.8.8
# IPv6: 2001:4860:4860::8888
# sekundäre DNS-Adresse
# IPv4: 8.8.4.4
# IPv6: 2001:4860:4860::8844
#
# Quad9 (CH) - Blockiert mühelos schädliche Seiten und verhindert Phishing-Betrug
# primäre DNS-Adresse
# IPv4: 9.9.9.9
# IPv6: 2620:fe::fe
# sekundäre DNS-Adresse
# IPv4: 149.112.112.112
# IPv6: 2620:fe::9
#
# OpenNIC - https://www.opennic.org/
# IPv4: 195.10.195.195 - ns31.de
# IPv4: 94.16.114.254 - ns28.de
# IPv4: 51.254.162.59 - ns9.de
# IPv4: 194.36.144.87 - ns29.de
# IPv6: 2a00:f826:8:2::195 - ns31.de
#
# Freifunk München (normales DNS, DNS-over-TLS und DNS-over-HTTPS)
# IPv4: 5.1.66.255
# IPv6: 2001:678:e68:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# IPv4: 185.150.99.255
# IPv6: 2001:678:ed0:f000::
# Servername für DNS-over-TLS: dot.ffmuc.net
# für iOS 14+: DoT-Server-Konfiguration (unsigniert, vom PrHdb)
resolved_nameserver:
- 192.168.62.1
# search domains
#
# If there are more than one search domains, then specify them here in the order in which
# the resolver should also search them
#
#resolved_domains: []
resolved_domains:
- ~.
- opp.netz
resolved_dnssec: false
# dns.as250.net: 194.150.168.168
#
resolved_fallback_nameserver:
- 172.16.62.254
# ---
# vars used by roles/common/tasks/cron.yml
# ---
cron_user_special_time_entries:
- name: "Restart DNS Cache service 'systemd-resolved'"
special_time: reboot
job: "sleep 10 ; /bin/systemctl restart systemd-resolved"
insertafter: PATH
# ---
# vars used by roles/common/tasks/users.yml
# ---
extra_user:
- name: caracola
user_id: 1075
group_id: 1075
group: carola
# hS-a-6UC5.spCgNS
password: $y$j9T$TKCuCPZsnS.g3M8sPPFvo0$lxoGMooCH.Jyo5tXYEVAXNAlDV73Cj2haNFnrhjmAo6
shell: /bin/bash
ssh_keys:
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO90culn3sicU2chTHn40ytcTay0nUIHap0uF/5fVM6P chris@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQHMUKlDh2ufno5pZOhUY5xFljC1R5zQ/GjOHDkS58D root@sol'
- 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMnap6I+g8xQvSZReP3CjwQ+O7okDhgCkrHaUCveOH8I marcus@caracola'
# ---
# vars used by roles/common/tasks/users-systemfiles.yml
# ---
# ---
# vars used by roles/common/tasks/webadmin-user.yml
# ---
# ---
# vars used by roles/common/tasks/sudoers.yml
# ---
#
# see: roles/common/tasks/vars
# ---
# vars used by roles/common/tasks/caching-nameserver.yml
# ---
# ---
# vars used by roles/common/tasks/git.yml
# ---
# ---
# vars used by roles/common/tasks/samba-config-server.yml
# vars used by roles/common/tasks/samba-user.yml
# ---
samba_server_ip: 192.168.62.21
samba_server_cidr_prefix: 24
samba_workgroup: OPP-ALT
samba_netbios_name: ZAPATA-ALT
samba_server_min_protocol: !!str NT1
samba_allow_insecure_wide_links: !!str yes
samba_groups:
- name: buero
group_id: 1100
- name: beratung
group_id: 1110
- name: verwaltung
group_id: 1120
samba_user:
- name: alba
groups:
- buero
- beratung
password: '4l#3a=behandlg'
- name: almut
groups:
- buero
- beratung
- verwaltung
password: 'Tax!ko11ekt!v'
- name: anika
groups:
- buero
- beratung
password: '4n1k4*adb_23'
- name: anne
groups:
- buero
- beratung
password: 'antilottka110'
- name: birgit
groups:
- buero
- beratung
password: '6/shd9c2.cHE'
# passwort unbekannt
- name: chris
groups:
- buero
- verwaltung
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
63643330373231636537366333326630333265303265653933613835656262323863363038653234
3462653135633266373439626263356636646637643035340a653466356235346663626163306363
61313164643061306433643738643563303036646334376536626531383965303036386162393832
6631333038306462610a356535633265633563633962333137326533633834636331343562633765
3631
- name: carlotta
groups:
- buero
- beratung
password: '20_car-lotta.25%'
- name: cristina
groups:
- buero
- beratung
password: '20_cristina_18!'
- name: dori
groups:
- buero
- beratung
password: 'K4lt3r_hUnD'
- name: drucker
groups:
- buero
password: '20-printer-18'
- name: hanna
groups:
- buero
- beratung
password: '6UR9+#anna-25'
- name: hannes
groups:
- buero
- beratung
password: 'U24Pdm-2'
- name: joschka
groups:
- buero
- beratung
password: '20_joschka_15'
- name: judith
groups:
- buero
- beratung
- verwaltung
password: '20judith14'
- name: julian
groups:
- buero
- beratung
password: 'Jul14n_2018'
- name: juliana
groups:
- buero
- beratung
password: '24-Jul!ana#OPP'
- name: lavinia
groups:
- buero
- beratung
password: '20!lavinia*20'
- name: luise
groups:
- buero
- beratung
password: '24_s.l.h._adb'
- name: magdalena
groups:
- buero
- beratung
password: 'magdalena_23'
- name: marcus
groups:
- buero
- beratung
- verwaltung
password: ''
- name: maria
groups:
- buero
- beratung
password: 'm4ri4+adb22'
- name: martin
groups:
- buero
- beratung
password: '20_martin_18'
- name: opp
groups:
- buero
- beratung
- verwaltung
password: 'DaWirdIhnenGeholfen!'
- name: opp7
groups:
- buero
- beratung
- verwaltung
password: '20_opp6_19!'
- name: paul
groups:
- buero
- beratung
password: '#polsfuss*adb24'
- name: praktikum
groups:
- buero
password: 'praktikant*in_00p'
- name: robin
groups:
- buero
- beratung
password: 'Schattenber!cht#53'
- name: samantha
groups:
- buero
- beratung
password: 'art_12*lvbbg+adb'
- name: simon
groups:
- buero
- beratung
- verwaltung
password: '20_simon_18!'
- name: ute
groups:
- buero
- beratung
password: '23_ut3*obs'
base_home: /home
# remove_samba_users:
# - name: name1
# - name: name2
#
# remove_samba_users: []
remove_samba_users:
- name: unknown
samba_shares:
- name: buero
comment: Büro auf Fileserver
path: /data/samba/OPP/buero
group_valid_users: buero
group_write_list: buero
file_create_mask: !!str 660
dir_create_mask: !!str 2770
wide_links: !!str yes
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: beratung
comment: Beratung auf Fileserver
path: /data/samba/OPP/beratung
group_valid_users: beratung
group_write_list: beratung
file_create_mask: !!str 660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: verwaltung
comment: Verwaltung auf Fileserver
path: /data/samba/OPP/verwaltung
group_valid_users: verwaltung
group_write_list: verwaltung
file_create_mask: !!str 0660
dir_create_mask: !!str 2770
vfs_object_recycle: true
recycle_path: '@Recycle'
- name: backup
comment: Sicherungen User
path: /data/backup
browseable: !!str yes
read_only: !!str yes
writeable: !!str no
guest_ok: !!str no
file_create_mask: !!str 0664
dir_create_mask: !!str 0755
vfs_object_recycle: false
# ==============================
# ---
# vars used by scripts/reset_root_passwd.yml
# ---
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.

19
host_vars/zapata.opp.netz.yml
View File

@@ -22,9 +22,9 @@ network_interface_required_packages:
network_interfaces:
- device: eno1
- device: eno1np0
# use only once per device (for the first device entry)
headline: eno1 - The primary network interface
headline: eno1np0 - The primary network interface
# auto & allow are only used for the first device entry
allow: [] # array of allow-[stanzas] eg. allow-hotplug
@@ -44,9 +44,9 @@ network_interfaces:
# - 91.239.100.100 # anycast.censurfridns.dk
# search: warenform.de
#
nameservers:
- 192.168.62.1
search: opp.netz
#nameservers:
# - 192.168.62.1
#search: opp.netz
# ---
@@ -259,7 +259,7 @@ samba_user:
groups:
- buero
- beratung
password: '6/shd9c2.cHE'
password: 'b1rg1t#adb'
# passwort unbekannt
- name: chris
@@ -357,7 +357,7 @@ samba_user:
- buero
- beratung
- verwaltung
password: ''
password: '1Gdg1btsnL,dgdB'
- name: maria
groups:
@@ -413,7 +413,8 @@ samba_user:
- buero
- beratung
- verwaltung
password: '20_simon_18!'
password: 'X:0ff3n_'
#password: '20_simon_18!'
- name: ute
groups:
@@ -485,4 +486,4 @@ samba_shares:
root_user:
name: root
password: $6$J1ssJfdshf/$mknQEPDcW4HN5.wFfawbamamywI7F7fhdZmaR1abNrc4DA7DNRx766lz3ygf9YV3gcmRq3QhJ3fBVlkwGMCvq.
password: $y$j9T$6yvHoRpNYxAEmLlG4q4g70$YTGOD5GytpbVMx7Z.vOyLQGJ6NkYOerc29N84Rk.Q0C

59
hosts
View File

@@ -71,14 +71,18 @@ gw-kb.oopen.de
bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz
zapata-neu.opp.netz
zapata-alt.opp.netz
gw-replacement.local.netz
gw-replacement2.local.netz
@@ -283,6 +287,10 @@ prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
# o44 - ND cloud
o44.oopen.de
cl-nd.oopen.de
lxc-host-kb.anw-kb.netz
@@ -496,6 +504,10 @@ prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
# o44 - ND cloud
o44.oopen.de
cl-nd.oopen.de
lxc-host-kb.anw-kb.netz
@@ -541,6 +553,7 @@ gw-irights.oopen.de
# - Kanzlei Berenice
gw-km.oopen.de
file-km.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
# - Kanzlei BLKR
@@ -566,6 +579,7 @@ gw-elster.oopen.de
gw-ah.oopen.de
file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
# Kanzlei Kreuzbergstraße
gw-kb.oopen.de
@@ -577,6 +591,8 @@ gw-mbr.oopen.de
gw-opp.oopen.de
gw-opp-neu.opp.netz
zapata.opp.netz
zapata-neu.opp.netz
zapata-alt.opp.netz
# Sprachenatelier
gw-spr.oopen.de
@@ -767,6 +783,12 @@ cl-flr.oopen.de
# o43 - ND prometheus, web
web-nd.oopen.de
# o44 - ND cloud
cl-nd.oopen.de
# ND - cloud
o44.oopen.de
cloud-nd.oopen.de
# ---
# O.OPEN office network
@@ -963,8 +985,7 @@ e.mx.oopen.de
d.mx.oopen.de
a.mx.oopen.de
# o36 - b.mx, web-01, web-03,--
web-01.oopen.de
# o36 - b.mx
b.mx.oopen.de
# o40 - g.mx
@@ -1167,6 +1188,9 @@ cl-flr.oopen.de
# o43 - ND prmetheus, web
web-nd.oopen.de
# o44 - ND - cloud
cl-nd.oopen.de
# ---
# Warenform
@@ -1260,6 +1284,9 @@ cl-opp.oopen.de
# 040 - Fluechtlingsrat Berlin
cl-flr.oopen.de
# o44.oopen.de
cl-nd.oopen.de
# ---
# Warenform
# ---
@@ -1388,14 +1415,18 @@ at-10-neu.ak.netz
bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz
zapata-neu.opp.netz
zapata-alt.opp.netz
@@ -1405,6 +1436,7 @@ file-blkr.blkr.netz
file-dissens.dissens.netz
file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
@@ -1508,6 +1540,10 @@ o42.oopen.de
# ND - prometheus, web
o43.oopen.de
# ND - cloud
o44.oopen.de
lxc-host-kb.anw-kb.netz
# ---
@@ -1517,10 +1553,14 @@ lxc-host-kb.anw-kb.netz
bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-km.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
zapata.opp.netz
zapata-neu.opp.netz
zapata-alt.opp.netz
# - GA - Gemeinschaft Altensclirf
ga-st-lxc1.ga.netz
@@ -1665,6 +1705,9 @@ prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
# o44 - ND cloud
cl-nd.oopen.de
# ---
# O.OPEN office network
# ---
@@ -1673,14 +1716,18 @@ at-10-neu.ak.netz
bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz
zapata-neu.opp.netz
zapata-alt.opp.netz
# - GA - Gemeinschaft Altensclirf
@@ -1899,6 +1946,10 @@ prometheus-nd.oopen.de
web-nd.oopen.de
test-nd.oopen.de
# o44 - ND cloud
o44.oopen.de
cl-nd.oopen.de
# Gemeinchaft Altenschlirf
@@ -1911,14 +1962,18 @@ at-10-neu.ak.netz
bbb-server.b3-bornim.netz
file-ah.kanzlei-kiel.netz
file-ah-neu.kanzlei-kiel.netz
file-ah-alt.kanzlei-kiel.netz
file-ebs.ebs.netz
file-fm.fm.netz
file-fhxb.fhxb.netz
file-km.anw-km.netz
file-km-neu.anw-km.netz
file-kb.anw-kb.netz
file-blkr.blkr.netz
file-dissens.dissens.netz
zapata.opp.netz
zapata-neu.opp.netz
zapata-alt.opp.netz
[gateway_server_ro]

2917
main.yml
View File

File diff suppressed because it is too large Load Diff

262
roles/common/files/a.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

154
roles/common/files/b.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,154 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=false
check_apache=true
check_php_fpm=false
check_website=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

263
roles/common/files/c.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,263 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

262
roles/common/files/d.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=false
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

147
roles/common/files/e.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,147 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
#LOGGING=true
LOGGING=false
# - What to check
# -
check_load=true
check_mysql=false
check_apache=true
check_php_fpm=true
check_website=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.1"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

270
roles/common/files/g.mx/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,270 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=false
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Port of PostgreSQL Service
# -
# - defaults to '5432'
# - postgresql_port=5432
# -
#postgresql_port=5432
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

262
roles/common/files/ga-st-mail/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

261
roles/common/files/lists.mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,261 +0,0 @@
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=false
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions=""
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

263
roles/common/files/mail.cadus/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,263 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=true
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=false
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

262
roles/common/files/mail.faire-mobilitaet/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

67
roles/common/files/mailserver/etc/postfix/header_checks.pcre
View File

@@ -1,43 +1,52 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# - Replace headers
# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
# - Header Checks - /etc/postfix/header_checks
# ---
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
#
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# Ziel: offensichtlich kaputte RFC-Header ablehnen (wenig False Positives)
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
########################################
# A) Kaputter From:-Header
########################################
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# 1) From: ist leer
/^From:\s*$/ REJECT Invalid From header (empty) - Spamschutzregel FROM-1001
# ---
# - Ignore Headers
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# 2) Mehr als ein '@' im From:-Header -> syntaktisch kaputt
#/^From:.*@.*@/ REJECT Invalid From header (multiple @) - Spamschutzregel FROM-1002
# ---
# - Reject / Discard headers
# ---
# 3) Mehrere Mailboxen durch Komma getrennt (wie: Die@..., Lions@..., ...)
# (Legitime Fälle nutzen i.d.R. Display-Namen/Group-Syntax; dieses Muster ist in Spam sehr häufig)
/^From:\s*[^<>,]+@[^,]+,\s*[^<>,]+@/ REJECT Invalid From header (multiple mailboxes) - Spamschutzregel FROM-1003
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
# 4) Typische kaputte UTF-8-Fragmente
/^From:.*\xC3\xA2/ REJECT Invalid UTF-8 in From header - Spamschutzregel FROM-1004
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
########################################
# B) Optional: sehr spezifische lokale Blacklist
########################################
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
#/^Reply-To: .+\@inx1and1\..+/ REJECT Possible spam (local pattern)
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004
########################################
# C) Warn
########################################
# Date-Rejects sind oft zu aggressiv -> wenn nötig: lieber taggen oder loggen statt reject
/^Date: .* 19[0-9][0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ WARN Date far in the past Header-Spamschutzregel DATE-1003
########################################
# Bemerkungen
########################################
# (envelope-from <>) nicht pauschal rejecten:
# echte DSNs/Bounces haben legitimerweise MAIL FROM: <>
#/\(envelope-from <>\)/ REJECT Null envelope-from

4
roles/common/files/rage/etc/postfix/header_checks.pcre → roles/common/files/mailserver/etc/postfix/header_checks.pcre.01
View File

@@ -11,9 +11,9 @@
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
#
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# ---
# - Ignore Headers

262
roles/common/files/mx.warenform/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,262 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - CONFLICTING_SCRIPTS
# -
# - The scripts listed here conflict with this script. If one of these scripts
# - is currently running, this script will be stopped.
# -
# - In addition to the script, a LOCK directory can also be specified which is
# - connected to it.
# -
# - If no fixed LOCK directory is connected to the script, set
# - this value to the constant 'CHECK_PROCESS_LIST'.
# -
# - If no value for the LOCK directory is given, the LOCK directory
# - '/tmp/<base-script_name>.LOCK' is assumed.
# -
# -
# - Example:
# - CONFLICTING_SCRIPTS="
# - /root/bin/monitoring/check_webservice_load.sh:CHECK_PROCESS_LIST
# - /root/bin/monitoring/check_remote_websites.sh
# - "
# -
# - Defaults to:
# - CONFLICTING_SCRIPTS="/root/bin/monitoring/check_local_webservice.sh:/tmp/check_local_webservice.LOCK"
# -
#CONFLICTING_SCRIPTS=""
# - What to check
# -
check_load=true
check_mysql=false
check_mariadb=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# TIMEOUT_CHECK_WEBSITE
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_WEBSITE=10
#
#TIMEOUT_CHECK_WEBSITE=10
# TIMEOUT_CHECK_PHP
#
# Maximum time in seconds that you allow for the response from the webserver.
#
# Defaults to:
# TIMEOUT_CHECK_PHP=10
#
#TIMEOUT_CHECK_PHP=10
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to:
# - mysql_credential_args="--login-path=local"
# -
#mysql_credential_args="--login-path=local"
# - Additional Settings for check_mariadb
# -
# - MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mariadb_credential_args="-u root -S /run/mysqld/mysqld.sock"
# - mariadb_credential_args="--login-path=local"
# - mariadb_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mariadb_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
# - defaults to empty string
# - mariadb_credential_args=""
# -
#mariadb_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

43
roles/common/files/o13-mail/etc/postfix/header_checks.pcre
View File

@@ -1,43 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
# ---
# - Replace headers
# - Replace recieved from IPv4 / IPv6 header - hide senders IP address and also 'Authenticated sender'
#
/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: hidden)$4
#
/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: ([^)]+)\)(.*)/ REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: hidden)$6
# - Replace recieved from IPv4 / IPv6 header - hide only sender IP address
#
#/^Received: from (.* \([-._[:alnum:]]+ \[[.[:digit:]]{7,15}\]\))(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv4 (localhost [127.0.0.1])$2(Authenticated sender: $3
#/^Received: from (.*IP[vV]6:(([0-9a-f]{0,4}:){1,7}[0-9a-f]{1,4})\]\){0,1})(.*)\(Authenticated sender: (.*) / REPLACE Received: from anonymized.ipv6 (localhost [::1])$4(Authenticated sender: $5
# ---
# - Ignore Headers
# ---
#/^\s*User-Agent/ IGNORE
#/^\s*X-Enigmail/ IGNORE
#/^\s*X-Mailer/ IGNORE
#/^\s*X-Originating-IP/ IGNORE
# ---
# - Reject / Discard headers
# ---
/^To:.*<>/ REJECT Possible SPAM Blank email address To: header - Header-Spamschutzregel T0-1001
/\(envelope-from <>\)/ REJECT Possible SPAM - Header-Spamschutzregel RECIEV-1001
/^Reply-To: .+\@inx1and1\..+/ REJECT Possible SPAM - Header-Spamschutzregel REPLY-1001
/^From:.*<>/ REJECT Possible SPAM - Header-Spamschutzregel FROM-1001
/^Date: .* 19[0-9][0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1001
/^Date: .* 200[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1002
/^Date: .* 201[0-9]/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1003
/^Date: .* 2020/ REJECT Date from the past. Fix your system clock. - Header-Spamschutzregel DATE-1004

178
roles/common/files/o13-mail/root/bin/monitoring/conf/check_webservice_load.conf
View File

@@ -1,178 +0,0 @@
# *** [ Ansible managed: DO NOT EDIT DIRECTLY ] ***
#---------------------------------------
#-----------------------------
# Settings
#-----------------------------
#---------------------------------------
# ---
# - LOGGING
# -
# - This Parameter is now obsolete. If script is running in a terminal, then output ist verbose,
# - the output will be verbos. If running as cronjob, output will only be written, if warnings or
# - errors occurs.
# ---
# - What to check
# -
check_load=true
check_mysql=false
# - PostgreSQL
# -
# - NOT useful, if more than one PostgreSQL instances are running!
# -
check_postgresql=true
check_apache=true
check_nginx=false
check_php_fpm=true
check_redis=false
check_website=false
# - If service is not listen on 127.0.0.1/loclhost, curl check must
# - be ommited
# -
# - Defaults to: ommit_curl_check_nginx=false
# -
#ommit_curl_check_nginx=false
# - Is this a vserver guest machine?
# -
# - Not VSerber guest host does not support systemd!
# -
# - defaults to: vserver_guest=false
# -
#vserver_guest=false
# - Additional Settings for check_mysql
# -
# - MySQL / MariaDB credentials
# -
# - Giving password on command line is insecure an sind mysql 5.5
# - you will get a warning doing so.
# -
# - Reading username/password fro file ist also possible, using MySQL/MariaDB
# - commandline parameter '--defaults-file'.
# -
# - Since Mysql Version 5.6, you can read username/password from
# - encrypted file.
# -
# - Create (encrypted) option file:
# - $ mysql_config_editor set --login-path=local --socket=/tmp/mysql.sock --user=root --password
# - $ Password:
# -
# - Use of option file:
# - $ mysql --login-path=local ...
# -
# - Example
# - mysql_credential_args="--login-path=local"
# - mysql_credential_args="--defaults-file=/etc/mysql/debian.cnf" (Debian default)
# - mysql_credential_args="--defaults-file=/usr/local/mysql/sys-maint.cnf"
# -
mysql_credential_args=""
# - Additional Settings for check_php_fpm
# -
# - On Linux Vserver System set
# - curl_check_host=localhost
# -
# - On LX-Container set
# - curl_check_host=127.0.0.1
# -
curl_check_host=127.0.0.1
# - Which PHP versions should be supported by this script. If more than one,
# - give a blank separated list
# -
# - Example:
# - php_versions="5.4 5.6 7.0 7.1"
# -
php_versions="8.2"
# - If PHP-FPM's ping.path setting does not match ping-$php_major_version,
# - set the value given in your ping.path setting here. Give ping_path also
# - the concerning php_version in form
# - <php-version>:<ping-path>
# -
# - Multiple settings are possible, give a blank separated list.
# -
# - Example:
# -
# - ping_path="5.4:ping-site36_net 5.6:ping-oopen_de"
# -
ping_path=""
# - Additional Settings for check_website - checking (expected) website response
# -
# - example:
# - is_working_url="https://www.outoflineshop.de/"
# - check_string='ool-account-links'
# - include_cleanup_function=true
# - extra_alert_address="ilker@so36.net"
# - cleanup_function='
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/cache/*
# - rm -rf /var/www/www.outoflineshop.de/htdocs/var/session/*
# - /usr/local/bin/redis-cli flushall > /dev/null 2>&1
# - if [[ "$?" = "0" ]]; then
# - ok "I have cleaned up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\""
# - else
# - error "Cleaning up directory \"/var/www/www.outoflineshop.de/htdocs/var/cache/\" failed!"
# - fi
# - /etc/init.d/redis_6379 restart
# - if [[ "$?" = "0" ]]; then
# - ok "I restarted the redis service"
# - echo -e "\t[ Ok ]: I restarted the redis service" >> $LOCK_DIR/extra_msg.txt
# - else
# - error "Restarting the redis server failed!"
# - echo -e "\t[ Error ]: Restarting the redis server failed!" >> $LOCK_DIR/extra_msg.txt
# - fi
# - '
# -
is_working_url=''
check_string=''
include_cleanup_function=true
# - An extra e-mail address, which will be informed, if the given check URL
# - does not response as expected (check_string) AFTER script checking, restarting
# - servervices (webserver, php-fpm) and cleaning up (cleanup_function) was done.
# -
extra_alert_address=''
# - php_version_of_working_url
# -
# - If given website (is_working_url) does not response as expected, this PHP FPM
# - engines will be restarted.
# -
# - Type "None" if site does not support php
# -
# - If php_version_of_working_url is not set, PHP FPM processes of ALL versions (php_versions)
# - will be restarted
# -
php_version_of_working_url=''
# - Notice:
# - If single qoutes "'" not needed inside cleanup function, then use single quotes
# - to enclose variable "cleanup_function". Then you don't have do masquerade any
# - sign inside.
# -
# - Otherwise use double quotes and masq any sign to prevent bash from interpreting.
# -
cleanup_function='
'
# - E-Mail settings for sending script messages
# -
from_address="root@`hostname -f`"
content_type='Content-Type: text/plain;\n charset="utf-8"'
to_addresses="root"

5
roles/common/files/rage/etc/postfix/postfwd.wl-nets
View File

@@ -16,3 +16,8 @@
# d.mx.oopen.de (listen server)
95.217.204.227
2a01:4f9:4a:47e5::227
# b.mx.oopen.de
162.55.82.73/32
2a01:4f8:271:1266::73
~

25
roles/common/tasks/apache2.yml
View File

@@ -1,5 +1,4 @@
---
# ---
# Apache2 Server
# ---
@@ -7,31 +6,29 @@
- name: Populate service facts
ansible.builtin.service_facts:
#- name: Print service facts
# ansible.builtin.debug:
# var: ansible_facts.services
# when:
# - ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'
# - name: Print service facts
# ansible.builtin.debug:
# var: ansible_facts.services
# when:
# - ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'
- name: (apache2.yml) Ensure directory '/etc/systemd/system/apache2.service.d' is present
file:
ansible.builtin.file:
path: /etc/systemd/system/apache2.service.d
state: directory
owner: root
group: root
mode: '0755'
mode: "0755"
when:
- ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'
- name: (apache2.yml) Ensure file '/etc/systemd/system/apache2.service.d/limits.conf' exists
copy:
src: 'etc/systemd/system/apache2.service.d/limits.conf'
dest: '/etc/systemd/system/apache2.service.d/limits.conf'
ansible.builtin.copy:
src: "etc/systemd/system/apache2.service.d/limits.conf"
dest: "/etc/systemd/system/apache2.service.d/limits.conf"
owner: root
group: root
mode: '0644'
mode: "0644"
notify: "Restart apache2"
when:
- ansible_facts['services']['apache2.service']['name'] | default('not-found') != 'not-found'

2
roles/common/tasks/apt.yml
View File

@@ -2,7 +2,7 @@
- name: (apt.yml) update configuration file - /etc/apt/sources.list
template:
src: "etc/apt/sources.list.{{ ansible_distribution }}.j2"
src: "etc/apt/sources.list.{{ ansible_facts['distribution'] }}.j2"
dest: /etc/apt/sources.list
owner: root
group: root

24
roles/common/tasks/caching-nameserver.yml
View File

@@ -10,7 +10,7 @@
update_cache: true
cache_valid_time: "{{ 0 if apt_config_updated is defined and apt_config_updated.changed else apt_update_cache_valid_time }}"
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- apt_update|bool
tags:
- apt-caching-nameserver
@@ -21,7 +21,7 @@
changed_when: (_dpkg_configure.stdout | default('')) | length > 0
failed_when: _dpkg_configure.rc != 0
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- apt_update|bool
tags:
- apt-caching-nameserver
@@ -33,7 +33,7 @@
update_cache: true
dpkg_options: "{{ apt_upgrade_dpkg_options | join(',') }}"
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- apt_dpkg_configure|bool
tags:
- apt-caching-nameserver
@@ -44,7 +44,7 @@
name: "{{ apt_bind_pkgs }}"
state: present
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- install_bind_packages|bool == true
tags:
- apt-caching-nameserver
@@ -60,8 +60,8 @@
update_cache: yes
#cache_valid_time: 3600
when:
- ansible_os_family == "RedHat"
- ansible_distribution == "CentOS"
- ansible_facts.os_family == "RedHat"
- ansible_facts["distribution"] == "CentOS"
tags:
- yum-update
@@ -70,8 +70,8 @@
name: "{{ yum_bind_pks }}"
state: "{{ yum_install_state }}"
when:
- ansible_os_family == "RedHat"
- ansible_distribution == "CentOS"
- ansible_facts.os_family == "RedHat"
- ansible_facts["distribution"] == "CentOS"
tags:
- yum-caching-nameserver
@@ -87,7 +87,7 @@
group: bind
mode: '0755'
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- name: (caching-nameserver.yml) update named.conf.options configuration file (normal server)
@@ -104,7 +104,7 @@
- apt-caching-nameserver
- caching-nameserver
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- inventory_hostname not in groups["gateway_server"]
# --------------------
@@ -130,7 +130,7 @@
- apt-caching-nameserver
- caching-nameserver
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- inventory_hostname in groups["gateway_server"]
# - not file_named_conf_options.stat.exists
@@ -150,6 +150,6 @@
tags:
- apt-caching-nameserver
when:
- ansible_distribution == "Debian"
- ansible_facts["distribution"] == "Debian"
- not systemd_resolved

77
roles/common/tasks/cron.yml
View File

@@ -1,5 +1,82 @@
---
- name: (cron.yml) Define candidate paths for root crontab PATH
ansible.builtin.set_fact:
cron_root_path_candidates:
- /root/bin/admin-stuff
- /root/bin
- /usr/local/apache2/bin
- /usr/local/php/bin
- /usr/local/sbin
- /usr/local/bin
- /usr/sbin
- /usr/bin
- /sbin
- /bin
tags:
- user_crontab
- name: (cron.yml) Check candidate paths for root crontab PATH
ansible.builtin.stat:
path: "{{ item }}"
loop: "{{ cron_root_path_candidates }}"
register: cron_root_path_stats
tags:
- user_crontab
- name: (cron.yml) Build validated root crontab PATH
ansible.builtin.set_fact:
cron_root_path: >-
{{
cron_root_path_stats.results
| selectattr('stat.exists')
| map(attribute='stat.path')
| join(':')
}}
tags:
- user_crontab
- name: (cron.yml) Check if root crontab already exists
ansible.builtin.stat:
path: /var/spool/cron/crontabs/root
register: root_crontab_file
tags:
- user_crontab
- name: (cron.yml) Initialize root crontab with default header and env vars
ansible.builtin.copy:
dest: /var/spool/cron/crontabs/root
owner: root
group: crontab
mode: '0600'
content: |
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
PATH={{ cron_root_path }}
SHELL=/bin/bash
when:
- not root_crontab_file.stat.exists
tags:
- user_crontab
- name: (cron.yml) Set env entries in user crontabs
cron:
name: '{{ item.name }}'

26
roles/common/tasks/extrepo.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: (extrepo.yml) Install extrepo package
ansible.builtin.apt:
name: extrepo
state: present
tags:
- extrepo
- name: (extrepo.yml) Enable contrib policy in /etc/extrepo/config.yaml
ansible.builtin.lineinfile:
path: /etc/extrepo/config.yaml
regexp: '^(#\s*)?-\s*contrib$'
insertafter: '^- main$'
line: '- contrib'
tags:
- extrepo
- name: (extrepo.yml) Enable non-free policy in /etc/extrepo/config.yaml
ansible.builtin.lineinfile:
path: /etc/extrepo/config.yaml
regexp: '^(#\s*)?-\s*non-free$'
insertafter: '^- contrib$'
line: '- non-free'
tags:
- extrepo

13
roles/common/tasks/git.yml
View File

@@ -331,12 +331,17 @@
# ---
# Read in host specific vars file if exists
- name: (git.yml) Check for host specific git vars file
stat:
path: "vars/git-{{ inventory_hostname }}.yml"
register: git_host_vars_file
tags:
- git-other-repositories
- name: (git.yml) Include only files matching git-<hostname>.yml (2.2)
include_vars:
dir: vars
extensions:
- yml
files_matching: "git-{{ inventory_hostname }}.yml"
file: "vars/git-{{ inventory_hostname }}.yml"
when: git_host_vars_file.stat.exists
tags:
- git-other-repositories

56
roles/common/tasks/main.yml
View File

@@ -1,8 +1,7 @@
---
- import_tasks: show.yml
tags:
- show
- show
# tags supported inside basic.yml
#
@@ -13,7 +12,6 @@
tags:
- basic
# tags supported inside apt.yml
#
# apt-update
@@ -34,6 +32,15 @@
- ansible_facts['distribution'] == "Debian"
tags: apt
# tags supported inside extrepo.yml
#
# extrepo
- import_tasks: extrepo.yml
when:
- ansible_facts['distribution'] == "Debian"
- (ansible_facts['distribution_major_version'] | int) >= 12
tags:
- extrepo
# tags supported inside apt-gateway.yml:
#
@@ -44,7 +51,6 @@
- apt
- apt-gateway-server
#
# yum-update
# yum-base-install
@@ -55,7 +61,6 @@
- ansible_facts.distribution == "CentOS" or ansible_facts.distribution == "Fedora"
tags: yum
# tags supportetd inside caching-nameserver.yml
#
# apt-caching-nameserver
@@ -65,7 +70,6 @@
when: groups['caching_nameserver']|string is search(inventory_hostname)
tags: caching-nameserver
# tags supported inside systemd-resolved.yml
#
# systemd-resolved
@@ -77,17 +81,15 @@
- ansible_facts['distribution_major_version'] > "11"
- systemd_resolved is defined and systemd_resolved|bool
- import_tasks: tor.yml
when:
- inventory_hostname in groups['mail_server']
- ansible_facts['distribution'] == "Debian"
tags:
tags:
- tor-service
- import_tasks: cron.yml
tags:
tags:
- cron
# tags supported inside shell.yml
@@ -99,10 +101,9 @@
when:
- ansible_facts['distribution'] == "Debian"
tags:
- shell-config
- vim-config
- zsh-config
- shell-config
- vim-config
- zsh-config
# tags supported inside users.yml:
#
@@ -115,21 +116,19 @@
# root-defaut-ssh-keypair
# insert_root_ssh_public_key
- import_tasks: users.yml
tags:
tags:
- users
# tags supported inside users-systemfiles.yml:
#
# bash
# profile
# vim
- import_tasks: users-systemfiles.yml
tags:
tags:
- users
- users-systemfiles
# tags supported inside webadmin-user.yml:
#
# users-exists
@@ -140,19 +139,17 @@
# insert_webadmin_ssh_public_key
- import_tasks: webadmin-user.yml
when: groups['webadmin']|string is search(inventory_hostname)
tags:
tags:
- users
- users-systemfiles
- webadmin
# tags supported inside sshd.yml
#
# sshd-config
- import_tasks: sshd.yml
tags: sshd
# tags supported inside sudoers.yml:
#
# sudoers-remove
@@ -161,18 +158,17 @@
- import_tasks: sudoers.yml
tags: sudoers
- import_tasks: motd.yml
tags: motd
# tags supported inside ntp.yml:
#
# ntp-server
- import_tasks: ntp.yml
tags:
- ntp
when:
- "'lxc_guest' not in group_names"
# tags supportetd inside git.yml
#
@@ -196,7 +192,6 @@
- import_tasks: git.yml
tags: git
# tags supported inside nfs.yml:
#
# nfs-server
@@ -205,7 +200,6 @@
tags:
- nfs
# tags supported inside x2go-server.yml:
#
# x2go-server
@@ -214,7 +208,6 @@
tags:
- x2go
# tags supported inside copy_files.yml:
#
# copy-files
@@ -231,7 +224,6 @@
tags:
- symlink-files
# tags supported inside config_files_mailsystem_scripts.yml:
#
- import_tasks: config_files_mailsystem_scripts.yml
@@ -274,9 +266,9 @@
- remove-samba-user
- import_tasks: redis-server.yml
when: inventory_hostname in groups['nextcloud_server'] or
inventory_hostname in groups['apache2_webserver'] or
inventory_hostname in groups['nginx_webserver']
when: inventory_hostname in groups['nextcloud_server'] or
inventory_hostname in groups['apache2_webserver'] or
inventory_hostname in groups['nginx_webserver']
tags:
- redis-server
@@ -297,10 +289,8 @@
tags:
- services
- import_tasks: systemd-services_redhat_based_OS.yml
when:
- ansible_facts.os_family == "RedHat"
tags:
- services

29
roles/common/tasks/users.yml
View File

@@ -1,5 +1,31 @@
---
# ---
# - Set base home directory
# ---
- name: HOME in /etc/default/useradd setzen oder hinter Kommentar einfügen
ansible.builtin.lineinfile:
path: /etc/default/useradd
regexp: '^HOME='
insertafter: '^#\s*HOME='
line: "HOME={{ base_home }}"
backup: true
when:
- base_home is defined
- base_home != '/home'
- name: DHOME in /etc/adduser.conf setzen oder hinter Kommentar einfügen
ansible.builtin.lineinfile:
path: /etc/adduser.conf
regexp: '^DHOME='
insertafter: '^#\s*DHOME='
line: "DHOME={{ base_home }}"
backup: true
when:
- base_home is defined
- base_home != '/home'
# ---
# - default user/groups
# ---
@@ -22,8 +48,7 @@
state: present
uid: '{{ item.user_id | default(omit) }}'
group: '{{ item.group | default(omit) }}'
#group: '{{ item.name | default(omit) }}'
home: '{{ item.home | default(omit) }}'
home: "{{ item.home | default('/home/' ~ item.name) }}"
shell: '{{ item.shell|d("/bin/bash") }}'
password: "{{ item.password }}"
update_password: on_create

5
roles/common/tasks/x2go-server.yml
View File

@@ -9,10 +9,11 @@
name:
- x2goserver
- x2goserver-xsession
- x2gobroker-daemon
- x2goserver-printing
- cups-x2go
state: present
when:
- ansible_os_family == "Debian"
- ansible_facts.os_family == "Debian"
- "groups['x2go_server']|string is search(inventory_hostname)"
tags:
- x2g--server

56
roles/common/templates/etc/apt/sources.list.Debian.j2
View File

@@ -1,57 +1,57 @@
# {{ ansible_managed }}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} main
{% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %}
deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
deb http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free
{% else %}
deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
deb http://security.debian.org/ {{ ansible_facts["lsb"]["codename"] }}/updates main contrib non-free
{% endif %}
{% if not apt_src_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %}
#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
#deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %}
#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
#deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free
{% else %}
#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
#deb-src http://security.debian.org/ {{ ansible_facts["lsb"]["codename"] }}/updates main contrib non-free
{% endif %}
{% else %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %}
deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
deb-src http://security.debian.org/debian-security {{ ansible_facts["lsb"]["codename"] }}-security main contrib non-free
{% else %}
deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
deb-src http://security.debian.org/ {{ ansible_facts["lsb"]["codename"] }}/updates main contrib non-free
{% endif %}
{% endif %}
# {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main
# {{ ansible_facts["lsb"]["codename"] }}-updates, previously known as 'volatile'
deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates main
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates main
# Contrib packages contain DFSG-compliant software,
# but have dependencies not in main (possibly packaged for Debian in non-free).
# Non-free contains software that does not comply with the DFSG.
{% if apt_debian_contrib_nonfree_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free non-free-firmware
deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free non-free-firmware
{% else %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} contrib non-free
deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }} contrib non-free
{% endif %}
{% endif %}
{% if apt_debian_contrib_nonfree_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free non-free-firmware
deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free non-free-firmware
{% else %}
deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
deb {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates contrib non-free
{% endif %}
{% endif %}
@@ -60,14 +60,14 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
# # newer versions of some applications which may provide useful features.
{% if apt_backports_enable %}
{% if ansible_facts['distribution_major_version'] | int >= 12 %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
deb {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free non-free-firmware
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free non-free-firmware
{% elif ansible_facts['distribution_major_version'] | int == 11 %}
deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
deb {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
{{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
{% else %}
#deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
#deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
#deb {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
#deb-src {{ apt_debian_mirror }} {{ ansible_facts["distribution_release"] }}-backports main contrib non-free
{% endif %}
{% endif %}

8
roles/common/templates/etc/apt/sources.list.Ubuntu.j2
View File

@@ -1,11 +1,11 @@
# {{ ansible_managed }}
deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }} main restricted universe multiverse
deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-updates main restricted universe multiverse
deb {{ apt_ubuntu_mirror }} {{ ansible_facts["lsb"]["codename"] }} main restricted universe multiverse
deb {{ apt_ubuntu_mirror }} {{ ansible_facts["lsb"]["codename"] }}-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu {{ ansible_lsb.codename }}-security main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu {{ ansible_facts["lsb"]["codename"] }}-security main restricted universe multiverse
{% if apt_backports_enable %}
deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-backports main restricted universe multiverse
deb {{ apt_ubuntu_mirror }} {{ ansible_facts["lsb"]["codename"] }}-backports main restricted universe multiverse
{% endif %}

7
roles/common/templates/etc/ntpsec/ntp.conf.j2
View File

@@ -4,9 +4,10 @@ driftfile /var/lib/ntpsec/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
# To enable Network Time Security support as a server, obtain a certificate
# (e.g. with Let's Encrypt), configure the paths below, and uncomment:
# nts cert CERT_FILE
# nts key KEY_FILE
# (e.g., with Let's Encrypt), place the cert and key in the paths below, and
# uncomment:
# nts cert /etc/ntpsec/cert-chain.pem
# nts key /etc/ntpsec/key.pem
# nts enable
# You must create /var/log/ntpsec (owned by ntpsec:ntpsec) to enable logging.

5
roles/common/templates/usr/local/src/mailsystem/conf/install_update_dovecot.conf.j2
View File

@@ -194,6 +194,11 @@ auth_mechanisms="plain login"
# - Settings for quota warning sript
# -
{% if dovecot_msg_language is defined and dovecot_msg_language %}
msg_language="{{ dovecot_msg_language }}"
{% else %}
msg_language=
{% endif %}
{% if dovecot_from_address is defined and dovecot_from_address %}
from_address="{{ dovecot_from_address }}"
{% else %}

4
roles/firewall/tasks/ipt-server.yml
View File

@@ -1789,7 +1789,7 @@
- load_modules_ipv6.conf
- logging_ipv4.conf
- logging_ipv6.conf
- post_decalrations.conf
- post_declarations.conf
register: diff_output
- name: Ensure common configuration files are latest
@@ -1801,7 +1801,7 @@
- load_modules_ipv6.conf
- logging_ipv4.conf
- logging_ipv6.conf
- post_decalrations.conf
- post_declarations.conf
when:
- (git_firewall_repository is defined) and (git_firewall_repository|length > 0)
- diff_output.changed

121
roles/modify-ipt-gateway/tasks/main.yml
View File

@@ -60,46 +60,16 @@
notify:
- Restart IPv6 Firewall
- name: addjust line 'jitsi_udp_ports' (IPv4)
- name: addjust line 'dynaddr_flag' (IPv4)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^jitsi_udp_ports='
line: 'jitsi_udp_ports="$standard_jitsi_udp_ports"'
regexp: '^dynaddr_flag='
line: 'dynaddr_flag="$default_dynaddr_flag"'
when:
- main_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: addjust line 'jitsi_udp_ports' (IPv6)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^jitsi_udp_ports='
line: 'jitsi_udp_ports="$standard_jitsi_udp_ports"'
when:
- main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
- name: addjust line 'bigbluebutton_udp_ports' (IPv4)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
regexp: '^bigbluebutton_udp_ports='
line: 'bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"'
when:
- main_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: addjust line 'bigbluebutton_udp_ports' (IPv6)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
regexp: '^bigbluebutton_udp_ports='
line: 'bigbluebutton_udp_ports="$standard_bigbluebutton_udp_ports"'
when:
- main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
- name: addjust line 'adjust_kernel_parameters' (IPv6)
lineinfile:
path: /etc/ipt-firewall/main_ipv6.conf
@@ -120,7 +90,6 @@
notify:
- Restart IPv6 Firewall
- name: addjust line 'blocked_ips' (IPv4)
lineinfile:
path: /etc/ipt-firewall/main_ipv4.conf
@@ -138,65 +107,83 @@
# ---
# Add additional SMTP ports OUT
# Add MS SQL Datenbank Services
# ---
- name: Check if String 'allow_ipmi_request_in..' (IPv4) is present
shell: grep -q -E "^#?allow_ipmi_request_in=" /etc/ipt-firewall/main_ipv4.conf
register: allow_ipmi_request_in_ipv4_present
- name: Check if String 'ms_sql_server_local_ips..' (IPv4) is present
shell: grep -q -E "^#?ms_sql_server_local_ips=" /etc/ipt-firewall/main_ipv4.conf
register: ms_sql_server_local_ips_ipv4_present
when: main_ipv4_exists.stat.exists
failed_when: "allow_ipmi_request_in_ipv4_present.rc > 1"
changed_when: "allow_ipmi_request_in_ipv4_present.rc > 0"
failed_when: "ms_sql_server_local_ips_ipv4_present.rc > 1"
changed_when: "ms_sql_server_local_ips_ipv4_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (allow_ipmi_request_in)
- name: Adjust file '/etc/ipt-firewall/main_ipv4.conf' (ms_sql_server_local_ips)
blockinfile:
path: /etc/ipt-firewall/main_ipv4.conf
insertafter: '^#?\s*ipmi_tcp_ports='
insertafter: '^#?\s*declare -A samba_server_dmz_arr'
block: |
# - Allow Access to IPMI Interfaces from outside
# ======
# - MS SQL Datenbank Services
# ======
# - MS SQL Datenbank Services
# -
# - Note:
# - In addition, ports
# - Standardports:
# -
# - TCP :443, 3520, 5900
# - UDP: 623
# - Microsoft SQL Server: 1433/tcp (ms-sql-s)
# - Microsoft SQL Monitor: 1434/udp (ms-sql-m)
# -
# - must be forwarded to the IP address of the IPMI network interface in the router (e.g., Fritzbox).
ms_sql_s_tcp_ports="${standard_ms_sql_s_port}"
ms_sql_m_udp_ports="${standard_ms_sql_m_port}"
# - Micrisoft SQL Services local networks
# -
allow_ipmi_request_in=false
marker: "# Marker set by modify-ipt-gateway.yml (allow_ipmi_request_in)"
# - 192.168.10.18
# -
ms_sql_server_local_ips=""
marker: "# Marker set by modify-ipt-gateway.yml (ms_sql_server_local_ips)"
when:
- main_ipv4_exists.stat.exists
- allow_ipmi_request_in_ipv4_present is changed
- ms_sql_server_local_ips_ipv4_present is changed
- name: Check if String 'allow_ipmi_request_in..' (IPv6) is present
shell: grep -q -E "^#?allow_ipmi_request_in=" /etc/ipt-firewall/main_ipv6.conf
register: allow_ipmi_request_in_ipv6_present
- name: Check if String 'ms_sql_server_local_ips..' (IPv6) is present
shell: grep -q -E "^#?ms_sql_server_local_ips=" /etc/ipt-firewall/main_ipv6.conf
register: ms_sql_server_local_ips_ipv6_present
when: main_ipv6_exists.stat.exists
failed_when: "allow_ipmi_request_in_ipv6_present.rc > 1"
changed_when: "allow_ipmi_request_in_ipv6_present.rc > 0"
failed_when: "ms_sql_server_local_ips_ipv6_present.rc > 1"
changed_when: "ms_sql_server_local_ips_ipv6_present.rc > 0"
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (allow_ipmi_request_in)
- name: Adjust file '/etc/ipt-firewall/main_ipv6.conf' (ms_sql_server_local_ips)
blockinfile:
path: /etc/ipt-firewall/main_ipv6.conf
insertafter: '^#?\s*ipmi_tcp_ports='
insertafter: '^#?\s*declare -A samba_server_dmz_arr'
block: |
# - Allow Access to IPMI Interfaces from outside
# ======
# - MS SQL Datenbank Services
# ======
# - MS SQL Datenbank Services
# -
# - Note:
# - In addition, ports
# - Standardports:
# -
# - TCP :443, 3520, 5900
# - UDP: 623
# - Microsoft SQL Server: 1433/tcp (ms-sql-s)
# - Microsoft SQL Monitor: 1434/udp (ms-sql-m)
# -
# - must be forwarded to the IP address of the IPMI network interface in the router (e.g., Fritzbox).
ms_sql_s_tcp_ports="${standard_ms_sql_s_port}"
ms_sql_m_udp_ports="${standard_ms_sql_m_port}"
# - Micrisoft SQL Services local networks
# -
allow_ipmi_request_in=false
marker: "# Marker set by modify-ipt-gateway.yml (allow_ipmi_request_in)"
# - 192.168.10.18
# -
ms_sql_server_local_ips=""
marker: "# Marker set by modify-ipt-gateway.yml (ms_sql_server_local_ips)"
when:
- main_ipv6_exists.stat.exists
- allow_ipmi_request_in_ipv6_present is changed
- ms_sql_server_local_ips_ipv6_present is changed
# ---

Some files were not shown because too many files have changed in this diff Show More