Merge branch 'master' into fetlab

README.md

@@ -0,0 +1,20 @@
+# Ansible configuration management for FET IT
+
+# See [Service documentation](./doc)
+
+# Install ansible
+```shell
+./install
+```
+Put [ssh_config](./ssh.cfg) in your `~/.ssh/config` or specify local one each time
+Put `./roles/common/files/known_hosts` in your `~/.ssh/known_hosts`
+
+# Run ansible
+```shell
+./ansible-playbook -i hosts/production site.yml --ssh-extra-args "-F ./ssh.cfg"
+```
+
+# Run ansible for specific server and role
+```shell
+./ansible-playbook -i hosts/production site.yml --ssh-extra-args "-F ./ssh.cfg" --limit sputnik --tags openssh
+```

doc/ariane.md

@@ -88,20 +88,22 @@ zfs create -o canmount=off -o setuid=off -o exec=off ssd/var
 zfs create -o com.sun:auto-snapshot=false -o mountpoint=/var/lib/nfs ssd/var/nfs
 zfs create -o com.sun:auto-snapshot=false -o exec=on ssd/var/cache
 zfs create ssd/var/log
-zfs create -o exec=on ssd/var/lxc
+zfs create -o setuid=on -o exec=on ssd/var/lxc
 mv /var/cache/* /ssd/var/cache/
 zfs set mountpoint=/var/cache/ ssd/var/cache
 mv /var/log/* /ssd/var/log/
 zfs set mountpoint=/var/log ssd/var/log
 mv /var/lib/lxc/* /ssd/var/lxc/
 zfs set mountpoint=/var/lib/lxc ssd/var/lxc
-zfs create -o com.sun:auto-snapshot=false zv1/sojus
+zfs create -o com.sun:auto-snapshot=false zv1/laika
 zfs create -o com.sun:auto-snapshot=false zv1/daten/Scans
+zfs create -o setuid=off -o zv1/zyklon
+chown 997:996 /zv1/zyklon
 ```
 ### Set dataset quota
 ```shell
 zfs set quota=1T zv1/homes zv1/daten zv1/fotos
-zfs set quota=3T zv1/sojus
+zfs set quota=3T zv1/laika
 zfs set quota=5G zv1/daten/Scans
 ```
 ### If intend using ACL someday

doc/fsdrnas.yml

@@ -0,0 +1,20 @@
+# fsdrnas
+## Enable SSH and prohibit-password
+```shell
+xbps-install -Su
+vim /etc/ssh/sshd_config
+ln -s /etc/sv/sshd/ /var/service/
+```
+# Create RAID
+```shell
+xbps-install mdadm
+mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
+mkfs.btrfs -f /dev/md0
+cat /proc/mdstat
+```
+## Check disks
+```shell
+xbps-install smartmontools
+smartctl -a /dev/sda
+smartctl -a /dev/sdb
+```

doc/gitea.md

@@ -3,7 +3,8 @@
 ## Setup using installer, create user root
 
 ```shell
-INSTALL_LOCK to false
+vim /etc/gitea.conf # INSTALL_LOCK to false
+sv restart gitea
 ```
 
 ## Gitea LDAP Authentication settings
@@ -21,3 +22,16 @@ INSTALL_LOCK to false
 - Email attribute: `mail`
 
 No Bind-DN and password needed!
+
+## Create backup dump to file
+
+```shell
+cd /var/lib/gitea/
+sudo -u _gitea gitea dump -c /etc/gitea.conf
+```
+
+## Reset root password
+```shell
+cd /var/lib/gitea/
+sudo -u _gitea gitea admin change-password --config /etc/gitea.conf -u root -p pw
+```

doc/laika.md

@@ -1,4 +1,4 @@
-# sojus
+# laika
 
 ## test if backups work
 ```shell
@@ -10,7 +10,7 @@ borg check -v <repo>/system
 ## test if backups work from remote
 ```shell
 /etc/borg/system_create_<pool>.sh
-cat /var/log/borg/system_create_sojus.lastlog
+cat /var/log/borg/system_create_laika.lastlog
 ```
 
 ## retrieve files from backup
@@ -30,7 +30,7 @@ zpool import
 zpool import lab
 zfs create -o com.sun:auto-snapshot=false lab/backup
 borg init -e none /lab/backup/ariane.fet.htu.tuwien.ac.at
-./borg create --show-rc --verbose --stats backup@sojus:system::ariane-{now} /zv1/daten /zv1/fotos /zv1/homes
+./borg create --show-rc --verbose --stats backup@laika:system::ariane-{now} /zv1/daten /zv1/fotos /zv1/homes
 zpool export lab
 cryptsetup luksClose ata-<ID>-part1
 sync

doc/progress.md

@@ -0,0 +1,6 @@
+# Check if share works
+
+```shell
+smbclient -L //localhost -U dell
+smbclient //localhost/scans -U dell
+```

group_vars/all

@@ -17,7 +17,7 @@ common_aliases:
 common_hostname: True
 
 common_rsyslog: True
-common_openssh_permit_root_login: "yes"
+common_openssh_permit_root_login: "prohibit-password"
 
 common_ntp_servers:
   - tutimea.tuwien.ac.at
@@ -44,8 +44,9 @@ common_vim_default: False
 common_openssh_keys_root:
   - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at"
   - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmv/aixvhRzeQiD3XABD448WHW2sHSX5wj5TkqKmHG3MekovCjacEDwAEdH+3MzXzbQXCD8NOHxlvRsqfzsaIZw6al+i7hd7xeYzRAITeXAod/eQNJY71Czh1xt/rtfjgVrwFKe6kUo+RqUUBxOXjKNtCROxvsa/gxTSJD4xz/TGOTM7EbRfkOGBh3j/xmdBinURTACwKwHCR4SUnpAA7usY/QQGW22Nqczvj9SW1Un0TnYpMm7jAghGo7pvwInTerbbA2OQ07QEp9T/mAbPUks5QGEw1lwMZgEtl0EZrKxDoWjssGPw5ZA6RzwIggjuEN1zzE+pn9jWL+9sd2Tihr pet@fet.at"
-  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEer+2Q3/bSJv2SpaGo8tjkQdSw/Kqoyy3XZ2RrtEqwzGozfvjyrZ0jd2Vy6LJ37o3n34brfVOvzeBaiSzc+5ciNgRVohaMydM6ADSGvZ9S2BGod1KonKfTbultWA1+BzJAjn7ZTjLlPJmceITYlh5uAnHrWQgZNPipMHLbKnSMUUd7AbkBy/nhg/ad5dO6e9TOXmEY+cNMCcA20R1i/O9nA1LIgXfnx1WKtW40gOf5YioHnhOMo8rNP5WlzZ1Lf5SiMJgxeT0covc3pq+hAHa+Y6KKdeO5oQ36RMi5FJUk2txQHGQtAjLMg0dv+bJgepIakM5wxekk9oY0J8inZOMh0mRH86KMH3SDwXt2xPomXfkGKeHVkM5VO6qfv8CzX/FjMoTTFGVaKDEPngbA8BIrPD7++gicdcnkmYOJLXgBDuJhhpis/Yp8F+F1tMBDT9LRLNvM18BXpekoFJNwTWJOAR8gktsiYP3VMt6oN1Y5lStvzv6MkhaEa0WGqjQoOJsQuI1roVHwlQhyWM/igCeO0Egb7qz/qPJHRRCgNfVjDO/rtFK09EjmG1bQrgOP7dJv0E+3scxilnoIED6ocCpKNVpc/okehgHwC+QdIpWrn5fPrXJt/hifguCn7KziWfQne8eIxaQOWBaZLdcY7HmgtQmOi3KRlKy+ORXtj/+MQ== hans@fet.at"
+  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyK21mF11p4DAWSL2x7sAs9brbuRYgbdlEm/npOT1ufV6YGnNGjgrIS+a5VxiyKXhor8TUgTHjlmzcLSdEs3puBB2nZifwIEnbEwxvj5LRIljPp9rx9irPG6wnkpMXmRRuyAijf+Lhf1jMtsSgCH9HVG2F6H5hwFwaXcwiInn8tiKaDyuxl1Y9kNDUayTmbWfu2hyyRTDRvpgG4PITuUpXuA5/lHv9+kEXKl71BlyFsJ2LQx+1Lwruy6cQmfttApsrbowlbdtaJOWwnoFGNKupBpFgcGGqNTUajPGx3R1QREm+44NzPH9vGdYTg/+8vDCcTYe3zX0/XecB+Ka4WI2B3c4NPsxtZJNPWzihCVW8xpV4ipHqqFnZuVThJYtoC5C8h3LKbpQeaBwMIv34sN/AS7y3l8k7/70ttcvH4AmoEjc4OgXOE8nkwly2XZx1ndfevBdUU5osf6UTsCa3gdB/d67djz7jU50q/LtiSsL3oontw5khBR98iZAu4m7MXC7VvbyFz0Ju4OLmDBY6mxwBjakihEdfrs8jwnzxsZ3QuVIq96HC/E8gWpspECzGeXwezwTvT1tUefD7rwz9jD18qLMK8SSteDUqhXION/6gXhZ8FENUnBI2Qj6gHcwFc2tbfKMbXDqHAUHrtDdxgyxRc7JTnOI/9gS5idKXzsanhw== bajo@fet.at"
-  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZAVxkHZYqjgCBcfHy0yggdVALZKoQbJP1TJAEYgLIAWFQ0ZPMGDaidOQiTzFTE0i35MUlQB6Rc+pTYnW/+h9rzktWbU/8RNirQve2XR5TWiRIUa13p31Xgjyw05O0uF3LEL/SmZruMHy25ncDXGF+xC2VllIttC+fLHJWLXIbWVujHdOA69fBqOonQrcPTsg1l4QQv6ZAxwVgCsbeOccZkdpoT0BJk03nflW+SGsKthTYX2VMGJlc/4QjArfZ2hTykr0I/lSA6E9FkFSLl65ejovGxCp1oXn484DlyajoXqJY7IOD86izXqkQSq4w4bLKEdrfQOnfGKe1XmxzFdk92SNEW41RXokNQ16xOBZzO1ZHkXd6hx0Pj6aBvUbs3PlCn4q764LKIcjSk7ADgeC5OBA4xgRxyZt9vuP93o7jl3vvqLWevsFa0j8orxC0D3cO5SMPbowW9LqrtqHynC0WltrtLT5+Q2tBSavP615NOu+bfcakgiWN8otv41ST+2hWka8qNptOxTRj/h7+MMOyi9bh1vjgB1KkOZYotJtFdXKFiYz+buIKwguWZWEni9uTRMiEsu84x8aJwdptPO0UIgZGroyUZJcWlUkwrkdE5T4cg9zP14M6zmogAYEI7oRX56FyspRVlA7J6VF/mcZ1z6ufH+97cle613gPKUVkpw== andis@fet.at"
+  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGP2Y1fDTbN/fbWBCVYVpXUDyBRgUYo+OwDJq2gdII6O2YHeW7k6wY5wQEIIJR6sjHUrT7lNIx8/xv3SRlaq5w0KLZrI3fpiK07GMy0AxGIBCN1xhKb6fvlgLTTSl+/X2XhsmuxtUREENnq9M909kUuUb/8BiVV4sGSIURk4khN3oh/E7mL/sICDju1N2j+p/V0pn4kWuXRp8BMG73xIBvOMzjP/B7Y0SdLWI08bgQHi/OYLBDSHj17N4B/ZE4f5OqpZI7RqwC+TxkCJey04IMw+AXitm6q25zffGI9Mt+4lrBi/RMlEOjE7bQU4p9ZyZY2OIDNRPSr3nDBqA6g3a/v0C7cpdIYPf3khyNtV61x/irRBcOjsc44g0umaUgrmity5f/ZLyvD/zd+HSF0ft1m3AAp6z9w7bxAWs7m894HWZPJ0l39SRGVF2uiOJhbZEXG1lmCWss+do0jfy+U4hb6vC7LTKUBp6or5PF9tHDsNe3CxOmiRPt5GQmr/AA/FQRBC1BC+PO8INltKO4Np15DZ2v7Y2+nlcI++F2ef/IgJmAEfl5Y7d8N/wT5IyfBYy5+PuqLqCOOFBc/sOb2OJvsR0syX5SJM5roznrQ071G2BpxPWaPIgfABKJ8T0M/R+mdIGxlttD3z6S2LRNLoeNOKF1vIEYkxIErpRBavuvXQ== andis@fet.at"
-  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKrEdkD1Oecw++r77MVrga1e20FA+e/O37rhMc0etS5MvlbsAHd6Ftx2SIXVtwDnHDzyUAOJb8WlYPdG5r/QJYtXgVMGZrZ31UFdlAZq3K8ytczKkcMgnEEOWYSSyQRJlEW5LkZ9tD0hv1myIg5iw6Vpuqe6YFSkdDHtGxf0lnLAfi1XKwu7b7tARJz7teOAjaFzXumvsZlFx9BdufMW32uu7BSYWjSGcrEzMyyB/5C3kU/d5Q1ZTNK6tceopFr/K1lKBzvj85safD5BH8NpjvLe1QkzHu+C0AVxYNtqGHI5oWJbcR+UOwelBeEM/On+/Xq0ZIVmiLmFx03Qun8t1n berni@fet.at"
+  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGy7lvScEwrJ7/PiykH1b2+K7WQH2WovdUMV/1n7y90kwm2sMERJN9R9mSQIGdF325MPWREAv+cEPIvyRAgER9CuiLF9fWFPas8tKumtu4rPyGim0jR30nn4ARSe5GEn+R8lgdJ9nKiBF0D5kFCeUoxkSu4mF9hqHL4JtmU7IfcD05VLTLNivInKAh6OuN2iF6D9BfWS1TkB7LCYjpKPJ94srh86EM5uV5WjPLnERZkBixk0Bi7mVq8qXWZCrMP4o7wwCCeEnbTKUq9zy629fu28O9t7N5J23g0SdH+3Y+WfYjp4CAtFWULdAHwjNp8ql0IbBzY7Q6Pf0+rOKaM7d3HvnV7Ihv8+hEHVtxC/PiCaIQJKpVpi5qhf8mMHMkPmdJZ9a3zmdUvVQVCrCMqXjn6fx0/4s1aogkujXnN5yZP4KfPkiEc0+FtY7j0P4dOZ/Uc6INkxSXphnjDoAi5M8dbH3Gn7prS+jZpSX/S4q7HDxnEZDvhD9gu0v3eaVmjVaVZEiuPgtKiTvXK/kJzIu7RdgHSqTx2kN9rR61oTVu2fcDr1N94axQTqjuey27ixytOMYVP3ZsCNFi+M4Y8ExYGgpDl34ne8IN6JHtCsIiUSPVteLppjOr4C2IkXBuqnHymfzt0Il2RKLnnbJvgxVgzEyqnAMTKuKjv2DWWK7H4w== berni@fet.at"
+  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC97hn9b7HPGpD2iQTelwxn/xLuvc2ZmOKoczpYequTYYNBf2SGBWTj75rIk7En+6J7cwRd+UDzI1MU09+TPY+e9PenzxCed9cvdhrjkigqBs9Gwz1rTE8Sgl2m9XtIqzg4Pu2ZTyTFB2ZOrF/3BEJ6UBycmnUaxOuoCoxMflEk/Xc14ZXnjAw2M5IZzgZBPYeHtn032noBlglXtgfXQy5dZy2DvbfuEPlc2x/m/zz/QFiWyFHn05FNpvz8grifz+7VIuWvXS0H7uWFFq2Zwjf3yfr8EZo3/bX/fseW5lpkWwYYKjeIXGkwZOnfCFqbbopB+vqhhISwTCQM3ObpY3VlEKyIpKM+0pzfDdQhv3ze4NPLf4wl4fHKvUEdOvpYBkn54s3inft6AzwRw1PRzIiBZbCHM2Lj1/m0s0LB979MvDkkG9wyAWqrRfVRZHO8D/9xfPyDJsNiSpO0R4rpfTV21BRowxBfEjGDsxf+MtzGHSpt6G0MUbg4LOPXmJKecfxK46hFMCDGotQHNf3ZUF2hMpee8dbNhj7Ao0fuf+hYmGrYBdA9SB8XJJLoAjiA0yQpreQD+jTd4pjfofKr5FHZnEBRY0etl6oc4wALfhSDSqd81lBGTEfJx4++6Vm7fI1aQ7UAfqLeT126rXqG9aN20MZ10sEU4isJFgm5741w2w== moses@fet.at"
   - key: 'no-pty,no-agent-forwarding,no-X11-forwarding,command="zfs_mount.sh shutdown || shutdown -h +1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCiI41+XkobMT0K8ZrHdCeomdGAIRMZbdX1VjGe5OWa72rcaDFmBtK7MxD5xPZEdSaDkn+Nrpwv5/j10MccvkAOI/tx6PIxcgDF52FnHLMMVrXRM3cnkm9CrBi4kCN0D2fpbDLhknJhiqftIcPdct/a9foZQwkWOzGUN2Rk0mCw2QzkGyWHNxOMzMjV0gpfAWPv6Jg+JKDl5EHf2xJTeJ/l0TG6O0lsc5YY/7cqjRJJzTVFDo1Gy+qNgff0mbPrhcbWepG5R1tjkdT++f8uuoVkBUamwkjwDpH2y57sdESEPB0C5ES2cglOp2X3MMN7EnUBHYU3mMiYU0wV+b7Q3oKmQuG86a2D+yEp+0+WFaUY/TMCNpslGOtTBrNLshMIX/bnrx/aF9DApl9L/kUIlSxwwBNiPIl4VVU1p5Zzj/YAPvRl0kAKjosOZgl108JeRUbhQSGVrcODyhaIMQv4BAzHnV0kii7jNACHhqBR36eo3N6HX7GkbnU1YadZRcrxrpE9z9mrXuqWxzl4Cmz1yHb1JTwsnQQ2Dy0trIklQjEmLxvG8zpxHLV3EQmtIMK/g2Mk6VTdz9HZnwYLU7Mj/uZk0DWhTZ5Eyj6QAbcw2gLPLEUmdQhkHSoQKxHY0at3OjGFGydyc/3n7B7d578uxVBrp04uhTbW7SDi6mYGCkvCRQ== nut ups shutdown'
     state: present

group_vars/backup

@@ -1,7 +0,0 @@
-backup:
-  repositories:
-  - path: "/srv/rep1"
-    name: "Repository1"
-  - path: "/srv/rep2"
-    name: "Repository2"
-    

host_vars/ariane

@@ -5,26 +5,33 @@ inventory_hostname_short: ariane
 common_interfaces: True
 common_interfaces_file: interfaces_ariane.j2
 common_iptables_v4: "iptables_ariane_v4.j2"
-common_iptables_v6: "iptables_ariane_v6.j2"
 
 lxc:
   containers:
-  - name: laika
+  - name: sputnik
     revision: "01"
-    template: debian
+    template: voidlinux
     config:
       - lxc.network.type = veth
-      - lxc.network.hwaddr = 1c:bd:b9:7f:fe:a4
+      - lxc.network.hwaddr = 2e:6d:b6:07:13:01
-      - lxc.network.link = br0
+      - lxc.network.link = br1
       - lxc.network.flags = up
 
+      - lxc.network.1.type = veth
+      - lxc.network.1.hwaddr = 00:50:fc:ce:1b:c3
+      - lxc.network.1.link = br0
+      - lxc.network.1.flags = up
+      - lxc.network.1.ipv4 = 128.131.95.206/24
+      - lxc.network.1.ipv4.gateway = 128.131.95.1
+      - lxc.pts = 6
+
   - name: betam
     revision: "01"
     template: debian
     config:
       - lxc.network.type = veth
       - lxc.network.hwaddr = 2e:6d:b6:07:14:01
-      - lxc.network.link = br0
+      - lxc.network.link = br1
       - lxc.network.flags = up
       - lxc.cgroup.devices.allow = c 188:0 rwm
 
@@ -34,9 +41,10 @@ lxc:
     config:
       - lxc.network.type = veth
       - lxc.network.hwaddr = 2e:6d:b6:07:15:01
-      - lxc.network.link = br0
+      - lxc.network.link = br1
       - lxc.network.flags = up
       - lxc.pts = 6
+      - lxc.mount.entry = /zv1/zyklon /var/lib/lxc/lxc-zyklon-01/rootfs/var/lib/gitea/ none bind,create=dir 0 0
 
   - name: progress
     revision: "01"
@@ -44,21 +52,29 @@ lxc:
     config:
       - lxc.network.type = veth
       - lxc.network.hwaddr = 2e:6d:b6:07:19:01
-      - lxc.network.link = br0
+      - lxc.network.link = br1
       - lxc.network.flags = up
       - lxc.pts = 6
       - lxc.mount.entry = /zv1/daten/Scans /var/lib/lxc/lxc-progress-01/rootfs/mnt/scans none bind,create=dir 0 0
 
-  - name: sojus
+  - name: laika
     revision: "01"
     template: voidlinux
     config:
       - lxc.network.type = veth
       - lxc.network.hwaddr = 2e:6d:b6:07:17:01
-      - lxc.network.link = br0
+      - lxc.network.link = br1
       - lxc.network.flags = up
+
+      - lxc.network.1.type = veth
+      - lxc.network.1.hwaddr = 00:15:c5:5d:78:0e
+      - lxc.network.1.link = br0
+      - lxc.network.1.flags = up
+      - lxc.network.1.ipv4 = 128.131.95.204/24
+      - lxc.network.1.ipv4.gateway = 128.131.95.1
+
       - lxc.pts = 6
-      - lxc.mount.entry = /zv1/sojus /var/lib/lxc/lxc-sojus-01/rootfs/home/backup/repos none bind,create=dir 0 0
+      - lxc.mount.entry = /zv1/laika /var/lib/lxc/lxc-laika-01/rootfs/home/backup/repos none bind,create=dir 0 0
 
   - name: proteus
     revision: "01"
@@ -66,10 +82,29 @@ lxc:
     config:
       - lxc.network.type = veth
       - lxc.network.hwaddr = 2e:6d:b6:07:16:01
-      - lxc.network.link = br0
+      - lxc.network.link = br1
+      - lxc.network.flags = up
+
+  - name: juri
+    revision: "01"
+    template: debian
+    config:
+      - lxc.network.type = veth
+      - lxc.network.hwaddr = 2e:6d:b6:07:20:01
+      - lxc.network.link = br1
+      - lxc.network.flags = up
+
+  - name: fetsite
+    revision: "01"
+    template: debian
+    config:
+      - lxc.network.type = veth
+      - lxc.network.hwaddr = 2e:6d:b6:07:10:01
+      - lxc.network.link = br1
       - lxc.network.flags = up
 
 common_zfs: True
+
 common_snapper: False
 
 borgbackup_install_from_repo: False

host_vars/baroness

@@ -7,7 +7,7 @@ borgbackup_binary_uri: "https://borg.bauerj.eu/borg-{{ borgbackup_binary_version
 
 borgbackup_encryption_mode: "none"
 
-borgbackup_client_backup_server: sojus
+borgbackup_client_backup_server: laika
 
 borgbackup_create_jobs:
   - name: system

host_vars/buran

@@ -6,7 +6,7 @@ borgbackup_binary_platform: "borg-linux32"
 
 borgbackup_encryption_mode: "none"
 
-borgbackup_client_backup_server: sojus
+borgbackup_client_backup_server: laika
 
 borgbackup_create_jobs:
   - name: system

host_vars/fsdr

@@ -0,0 +1,47 @@
+inventory_hostname: fsdr.htu.tuwien.ac.at
+inventory_hostname_short: fsdr
+
+borgbackup_install_from_repo: False
+
+borgbackup_encryption_mode: "none"
+
+borgbackup_client_backup_server: fsdrnas
+
+borgbackup_create_jobs:
+  - name: system
+    options: "--lock-wait 7200"
+    day: "*"
+    hour: 0                                                     # default value = 1
+    minute: 0                                                   # default value = 0
+    random_hour: 5                                              # default value : ignore randomization
+    random_minute: 59                                           # default value : ignore randomization
+    directories:
+      - "/srv"
+      - "/etc"
+      - "/home"
+      - "/root"
+      - "/var/lib/mailman"
+      - "/var/www"
+      - "/var/lib/automysqlbackup/daily/"
+    excludes: []
+
+borgbackup_prune_enabled: yes
+borgbackup_prune_jobs:
+  - name: system
+    prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1"
+    day: "*"
+    hour: 12                                                     # default value = 1
+    minute: 0                                                    # default value = 0
+    random_hour: 5                                               # default value : ignore randomization
+    random_minute: 59                                            # default value : ignore randomization
+
+borgbackup_check_enabled: yes
+borgbackup_check_jobs:
+  - name: system
+    check_options: "--lock-wait 28800"
+    day: 1
+    hour: 12                                                     # default value = 1
+    minute: 0                                                    # default value = 0
+    random_hour: 5                                               # default value : ignore randomization
+    random_minute: 59                                            # default value : ignore randomization
+    random_day: 27                                               # default value : ignore randomization

host_vars/fsdrnas

@@ -0,0 +1,13 @@
+inventory_hostname: fsdrnas.htu.tuwien.ac.at
+inventory_hostname_short: fsdrnas
+
+common_openssh_keys_root:
+  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at"
+  - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCyK21mF11p4DAWSL2x7sAs9brbuRYgbdlEm/npOT1ufV6YGnNGjgrIS+a5VxiyKXhor8TUgTHjlmzcLSdEs3puBB2nZifwIEnbEwxvj5LRIljPp9rx9irPG6wnkpMXmRRuyAijf+Lhf1jMtsSgCH9HVG2F6H5hwFwaXcwiInn8tiKaDyuxl1Y9kNDUayTmbWfu2hyyRTDRvpgG4PITuUpXuA5/lHv9+kEXKl71BlyFsJ2LQx+1Lwruy6cQmfttApsrbowlbdtaJOWwnoFGNKupBpFgcGGqNTUajPGx3R1QREm+44NzPH9vGdYTg/+8vDCcTYe3zX0/XecB+Ka4WI2B3c4NPsxtZJNPWzihCVW8xpV4ipHqqFnZuVThJYtoC5C8h3LKbpQeaBwMIv34sN/AS7y3l8k7/70ttcvH4AmoEjc4OgXOE8nkwly2XZx1ndfevBdUU5osf6UTsCa3gdB/d67djz7jU50q/LtiSsL3oontw5khBR98iZAu4m7MXC7VvbyFz0Ju4OLmDBY6mxwBjakihEdfrs8jwnzxsZ3QuVIq96HC/E8gWpspECzGeXwezwTvT1tUefD7rwz9jD18qLMK8SSteDUqhXION/6gXhZ8FENUnBI2Qj6gHcwFc2tbfKMbXDqHAUHrtDdxgyxRc7JTnOI/9gS5idKXzsanhw== bajo@fet.at"
+
+common_resolvconf: False
+
+borgbackup_install_from_repo: True
+borgbackup_binary: "/usr/bin/borg"
+
+borgbackup_encryption_mode: "none"

host_vars/laika

@@ -1,2 +1,7 @@
 inventory_hostname: laika.fet.htu.tuwien.ac.at
 inventory_hostname_short: laika
+
+borgbackup_install_from_repo: True
+borgbackup_binary: "/usr/bin/borg"
+
+borgbackup_encryption_mode: "none"

host_vars/maria-storage

@@ -5,7 +5,7 @@ borgbackup_install_from_repo: False
 
 borgbackup_encryption_mode: "none"
 
-borgbackup_client_backup_server: sojus
+borgbackup_client_backup_server: laika
 
 borgbackup_create_jobs:
   - name: system

host_vars/nauka

@@ -5,7 +5,7 @@ borgbackup_install_from_repo: False
 
 borgbackup_encryption_mode: "none"
 
-borgbackup_client_backup_server: sojus
+borgbackup_client_backup_server: laika
 
 borgbackup_create_jobs:
   - name: system

host_vars/progress

@@ -2,5 +2,4 @@ inventory_hostname: progress.fet.htu.tuwien.ac.at
 inventory_hostname_short: progress
 
 common_iptables_v4: "iptables_progress_v4.j2"
-common_iptables_v6: "iptables_progress_v6.j2"
 printer_ip: dell3465

host_vars/proteus

@@ -1,2 +1,4 @@
 inventory_hostname: proteus.fet.htu.tuwien.ac.at
 inventory_hostname_short: proteus
+
+common_iptables_v4: "iptables_proteus_v4.j2"

host_vars/ruby

@@ -0,0 +1,42 @@
+inventory_hostname: ruby.fet.htu.tuwien.ac.at
+inventory_hostname_short: ruby
+
+borgbackup_install_from_repo: False
+
+borgbackup_encryption_mode: "none"
+
+borgbackup_client_backup_server: laika
+
+borgbackup_create_jobs:
+  - name: system
+    options: "--lock-wait 7200"
+    day: "*"
+    hour: 0                                                     # default value = 1
+    minute: 0                                                   # default value = 0
+    random_hour: 5                                              # default value : ignore randomization
+    random_minute: 59                                           # default value : ignore randomization
+    directories:
+      - "/var/lib/mysql"
+      - "/srv"
+    excludes: []
+
+borgbackup_prune_enabled: yes
+borgbackup_prune_jobs:
+  - name: system
+    prune_options: "--lock-wait 7200 --keep-daily=7 --keep-weekly=4 --keep-monthly=12 --keep-yearly=-1"
+    day: "*"
+    hour: 12                                                     # default value = 1
+    minute: 0                                                    # default value = 0
+    random_hour: 5                                               # default value : ignore randomization
+    random_minute: 59                                            # default value : ignore randomization
+
+borgbackup_check_enabled: yes
+borgbackup_check_jobs:
+  - name: system
+    check_options: "--lock-wait 28800"
+    day: 1
+    hour: 12                                                     # default value = 1
+    minute: 0                                                    # default value = 0
+    random_hour: 5                                               # default value : ignore randomization
+    random_minute: 59                                            # default value : ignore randomization
+    random_day: 27                                               # default value : ignore randomization

host_vars/sojus

@@ -1,7 +0,0 @@
-inventory_hostname: sojus.fet.htu.tuwien.ac.at
-inventory_hostname_short: sojus
-
-borgbackup_install_from_repo: True
-borgbackup_binary: "/usr/bin/borg"
-
-borgbackup_encryption_mode: "none"

host_vars/sputnik

@@ -0,0 +1,4 @@
+inventory_hostname: sputnik.fet.htu.tuwien.ac.at
+inventory_hostname_short: sputnik
+
+common_openssh_password_authentication: "yes"

host_vars/zyklon

@@ -1,2 +1,4 @@
 inventory_hostname: zyklon.fet.htu.tuwien.ac.at
 inventory_hostname_short: zyklon
+
+common_iptables_v4: "iptables_zyklon_v4.j2"

hosts/production

@@ -6,20 +6,23 @@ all:
         fetlab:
     fet_lxc_debian:
       hosts:
-        lxc-pet-01:
-        laika:
         betam:
         proteus:
+        juri:
     fet_lxc_void:
       hosts:
+        sputnik:
         zyklon:
-        sojus:
+        laika:
         progress:
+        fsdrnas:
     fet_qemu:
       hosts:
         maria-storage:
         buran:
         nauka:
+        ruby:
+        fsdr:
     fet_pi:
       hosts:
         baroness:

hosts/production_pet

@@ -1,2 +0,0 @@
-[fet_container]
-lxc-pet-01

hosts/test_andi

@@ -1,3 +0,0 @@
-[ruby]
-#test01
-test03	

roles/ariane/files/lxc-voidlinux

@@ -60,7 +60,7 @@ userns_config="/usr/share/lxc/config/voidlinux.userns.conf"
 
 pkg_blacklist=("linux>=0" "e2fsprogs>=0" "btrfs-progs>=0" "xfsprogs>=0" "f2fs-tools>=0" "dosfstools>=0")
 base_packages=()
-for pkg in $(xbps-query -Mv --repository="http://repo2.voidlinux.eu/current/" -x base-system); do
+for pkg in $(xbps-query -Mv --repository="https://alpha.de.repo.voidlinux.org/current/" -x base-system); do
     containsElement "$pkg" "${pkg_blacklist[@]}" || base_packages+=($pkg)
 done
 declare -a additional_packages
@@ -87,7 +87,7 @@ copy_configuration() {
 }
 
 install_void() {
-    if ! yes | xbps-install -Sy -R http://repo2.voidlinux.eu/current -r "${rootfs_path}" "${base_packages[@]}"
+    if ! yes | xbps-install -Sy -R https://alpha.de.repo.voidlinux.org/current -r "${rootfs_path}" "${base_packages[@]}"
     then
         echo "Failed to install container packages"
         return 1

roles/ariane/files/lxc_default.conf

@@ -1 +0,0 @@
-lxc.aa_profile = unconfined

roles/ariane/tasks/lxc_void.yml

@@ -1,11 +1,11 @@
 ---
 - name: lxc - install xbps build depencies
-  package: name="{{ item }}"
+  package: "name={{ item }}"
   with_items:
   - zlib1g-dev
   - pkg-config
   - libarchive-dev
-  - libssl1.0-dev
+  - libssl-dev
 
 - name: lxc - xbps git
   git:

roles/gitea/tasks/gitea.yml

@@ -5,9 +5,9 @@
   - git-all
   - gitea
 
-- name: gitea - /etc/gitea.conf
-  template: dest=/etc/gitea.conf src=gitea.conf.j2 owner=root group=root mode=0644
-  notify: restart gitea
-
 - name: gitea - git user
   user: name=_gitea shell=/bin/bash
+
+- name: gitea - /etc/gitea.conf
+  template: dest=/etc/gitea.conf src=gitea.conf.j2 owner=_gitea group=root mode=0640
+  notify: restart gitea

roles/ldap/handlers/main.yml

@@ -0,0 +1,3 @@
+---
+ - name: restart nslcd
+   service: name=nslcd enabled=yes state=restarted

roles/ldap/tasks/ldap.yml

@@ -0,0 +1,56 @@
+---
+- name: ldap - install
+  package: name={{ item }}
+  with_items:
+  - nss-pam-ldapd
+
+- name: ldap - /etc/nsswitch.conf
+  template: dest=/etc/nsswitch.conf src=nsswitch.conf.j2 owner=root group=root mode=0644
+
+- name: ldap - /etc/nslcd.conf
+  template: dest=/etc/nslcd.conf src=nslcd.conf.j2 owner=root group=nslcd mode=0640
+  notify: restart nslcd
+
+- name: ldap - start nslcd
+  service: name=nslcd enabled=yes state=started
+
+- name: ldap - PAM
+  pamd:
+    name: "{{ item.name }}"
+    type: "{{ item.type }}"
+    new_type: "{{ item.type }}"
+    control: required
+    new_control: "{{ item.control }}"
+    module_path: pam_unix.so
+    new_module_path: "{{ item.module_path }}"
+    module_arguments: "{{ item.module_arguments }}"
+    state: "{{ item.state }}"
+  with_items:
+  - { name: system-auth, type: auth, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
+  - { name: system-auth, type: account, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
+  - { name: system-auth, type: password, control: sufficient, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: before }
+  - { name: system-auth, type: session, control: optional, module_path: pam_ldap.so, module_arguments: minimum_uid=1000, state: after }
+
+- name: ldap - enable passwd change
+  lineinfile:
+    dest: /etc/pam.d/passwd
+    line: "password        sufficient      pam_ldap.so"
+    insertbefore: "^password"
+    firstmatch: yes
+    state: present
+
+- name: ldap - sudoers ensure includedir
+  lineinfile:
+    dest: /etc/sudoers
+    line: "#includedir /etc/sudoers.d"
+    state: present
+    validate: "/usr/sbin/visudo -cf %s"
+
+- name: sudoers - create
+  copy:
+    content: "%admin ALL=(ALL) ALL"
+    dest: "/etc/sudoers.d/admin"
+    mode: 0440
+    owner: root
+    group: root
+    validate: "/usr/sbin/visudo -cf %s"

roles/ldap/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- import_tasks: ldap.yml
+  tags: [ ldap ]

roles/ldap/templates/nslcd.conf.j2

@@ -0,0 +1,9 @@
+# {{ ansible_managed }}
+
+# See the manual page nslcd.conf(5) for more information.
+
+uid nslcd
+gid nslcd
+
+uri ldap://gagarin.fet.htu.tuwien.ac.at/
+base dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at

roles/ldap/templates/nsswitch.conf.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+# /etc/nsswitch.conf
+#
+# See nsswitch.conf(5) for information.
+#
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+
+hosts:          files mdns mdns4_minimal mdns4 myhostname dns
+networks:       files
+
+protocols:      files
+services:       files
+ethers:         files
+rpc:            files

roles/nfs/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- import_tasks: nfs.yml
+  tags: [ nfs ]

roles/nfs/tasks/nfs.yml

@@ -0,0 +1,20 @@
+---
+- name: nfs - install
+  package: name=nfs-utils
+
+- name: nfs - create mountpoints
+  file: "path={{ item }} owner=root group=root mode=0755 state=directory"
+  with_items:
+  - /mnt/save/daten
+  - /mnt/save/fotos
+  failed_when: False
+
+- name: nfs - add mountpoints
+  blockinfile:
+    path: /etc/fstab
+    block: |
+      ariane:/zv1/homes                         /home           nfs     intr,hard,rw,fsc  0       0
+      ariane:/zv1/daten                         /mnt/save/daten nfs     intr,hard,rw,fsc  0       0
+      ariane:/zv1/fotos                         /mnt/save/fotos nfs     intr,hard,rw,fsc  0       0
+    validate: "mount -a -T %s"
+

roles/scans/tasks/samba.yml

@@ -3,6 +3,7 @@
   package: name={{ item }}
   with_items:
   - samba
+  - smbclient
 
 - name: samba - /etc/smb.conf
   template: dest=/etc/samba/smb.conf src=smb.conf.j2 owner=root group=root mode=0644
@@ -18,3 +19,10 @@
 - name: samba - set smbpasswds
   shell: "(echo {{ item['smbpasswd'] }}; echo {{ item['smbpasswd'] }}) | smbpasswd -s -a {{ item['name'] }}"
   with_items: '{{ samba_users }}'
+  changed_when: False
+
+- name: samba - add cronjob for fixing IPv4
+  cron:
+    name: samba reboot restart
+    special_time : reboot
+    job: "sleep 15 && sv restart smbd"

site.yml

@@ -27,6 +27,11 @@
   - borg_client
 #  - rvm1-ansible
 
+- hosts: sputnik
+  roles:
+  - ldap
+  - nfs
+
 - hosts: betam
   roles:
   - ups
@@ -35,7 +40,7 @@
   roles:
   - gitea
 
-- hosts: sojus
+- hosts: laika
   roles:
   - borg_server
 
@@ -61,6 +66,18 @@
   roles:
   - borg_client
 
+- hosts: ruby
+  roles:
+  - borg_client
+
+- hosts: fsdr
+  roles:
+  - borg_client
+
+- hosts: fsdrnas
+  roles:
+  - borg_server
+
 - hosts: progress
   roles:
   - scans

ssh.cfg

@@ -0,0 +1,121 @@
+# FET
+
+Host sputnik
+    Hostname sputnik.htu.tuwien.ac.at
+
+Host kistl
+    ProxyJump sputnik
+
+Host wlan
+    User root
+    ProxyJump sputnik
+
+Host atlas
+    ProxyJump sputnik
+
+Host ariane
+    Hostname ariane.htu.tuwien.ac.at
+    User root
+    ProxyJump sputnik
+
+## virtual on ariane
+Host laika
+    User root
+    ProxyJump ariane
+
+Host betam
+    User root
+    ProxyJump ariane
+
+Host proteus
+    User root
+    ProxyJump ariane
+
+Host zyklon
+    User root
+    ProxyJump ariane
+
+Host sojus
+    User root
+    ProxyJump sputnik
+
+Host progress
+    User root
+    Proxyjump sputnik
+
+Host energija
+    Hostname energija.htu.tuwien.ac.at
+    ProxyJump sputnik
+
+## virtual on energija
+Host nauka
+    User root
+    ProxyJump sputnik
+
+Host buran
+    Hostname buran.htu.tuwien.ac.at
+    User root
+    ProxyJump sputnik
+
+Host backup
+    ProxyJump sputnik
+
+Host gagarin
+    ProxyJump sputnik
+
+Host horde5
+    ProxyJump sputnik
+
+Host triton
+    User root
+    ProxyJump sputnik
+    DynamicForward 127.0.0.1:4444
+
+Host mogok
+    ProxyJump sputnik
+
+Host maria-storage
+    User root
+    ProxyJump sputnik
+
+Host miruk
+    Port 222
+    User root
+    ProxyJump triton
+
+Host cloud
+    ProxyJump sputnik
+
+Host fetruby
+    ProxyJump sputnik
+
+Host fetwiki # triton-2
+    Hostname 192.168.95.12
+    ProxyJump sputnik
+
+Host triton-amp
+    ProxyJump sputnik
+
+Host fet
+    ProxyJump miruk
+
+Host baroness
+    User root
+    Proxyjump sputnik
+
+## Workstations
+Host potemkin
+    ProxyJump sputnik
+
+Host proton
+    ProxyJump sputnik
+
+Host suchoi
+    ProxyJump sputnik
+
+Host lunik
+    ProxyJump sputnik
+
+# FET Ende
+
+EscapeChar ~

templates/interfaces_ariane.j2

@@ -2,16 +2,22 @@
 
 source /etc/network/interfaces.d/*
 
-auto lo
+auto lo br0 br1
 iface lo inet loopback
 
-allow-hotplug enp8s0
+allow-hotplug enp8s0 enp10s0
-iface enp8s0 inet dhcp
 
-auto br0
+iface br0 inet static
-iface br0 inet manual
+    bridge_ports enp10s0
-    bridge_ports enp9s0
     bridge_fd 0
     bridge_maxwait 0
+    address 128.131.95.207
+    netmask 255.255.255.0
+    network 128.131.95.0
+    broadcast 128.131.95.255
+    gateway 128.131.95.1
 
-dns-nameservers 192.168.86.1
+iface br1 inet dhcp
+    bridge_ports enp8s0
+    bridge_fd 0
+    bridge_maxwait 0

templates/iptables_ariane_v4.j2

@@ -4,14 +4,14 @@
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
--A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
--A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 -A INPUT -j REJECT --reject-with icmp-proto-unreachable

templates/iptables_ariane_v6.j2

@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -p tcp --syn -j DROP
--A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -p ipv6-icmp -j ACCEPT
--A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--A INPUT -i lo -j ACCEPT
-COMMIT

templates/iptables_progress_v6.j2

@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -p tcp --syn -j DROP
--A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -p ipv6-icmp -j ACCEPT
--A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--A INPUT -i lo -j ACCEPT
-COMMIT

templates/iptables_proteus_v4.j2

@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+COMMIT

templates/iptables_zyklon_v4.j2

@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+COMMIT