...
 
Commits (4)
// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...". A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line. (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted. The accepted keywords are:
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
// ${distro_id} Installed origin.
// ${distro_codename} Installed codename (eg, "jessie")
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// "o=Debian,n=jessie";
// "o=Debian,n=jessie-updates";
// "o=Debian,n=jessie-proposed-updates";
// "o=Debian,n=jessie,l=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
"origin=Debian,codename=${distro_codename}";
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";
// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
......@@ -22,9 +22,29 @@
name: unattended-upgrades
- name: Configure unattended-upgrades
copy:
src: unattended-upgrades.conf
dest: /etc/apt/apt.conf.d/50unattended-upgrades
lineinfile:
path: '/etc/apt/apt.conf.d/50unattended-upgrades'
line: '{{ item.key }} "{{ item.value }}";'
regexp: '^\s*(//\s*)?{{ item.key | regex_escape() }}\b'
loop:
- key: 'Unattended-Upgrade::MinimalSteps'
value: 'true'
- key: 'Unattended-Upgrade::Mail'
value: 'root'
- key: 'Unattended-Upgrade::MailOnlyOnError'
value: 'true'
- name: Configure unattended-upgrades origins
lineinfile:
path: '/etc/apt/apt.conf.d/50unattended-upgrades'
line: ' "{{ item }}";'
insertafter: 'Unattended-Upgrade::Origins-Pattern\s*{'
regexp: '^\s*(//\s*)?"{{ item | regex_escape() }}";$'
loop:
- 'origin=Debian,codename=${distro_codename}-updates'
- 'origin=Debian,codename=${distro_codename}-proposed-updates'
- 'origin=Debian,codename=${distro_codename},label=Debian'
- 'origin=Debian,codename=${distro_codename},label=Debian-Security'
- name: Configure dpkg run with unattended-upgrades
copy:
......
ipt -A INPUT -i {{ main_bridge }} -p udp --dport 123 -j ACCEPT
ipt6 -A INPUT -i {{ main_bridge }} -p udp --dport 123 -j ACCEPT
ipt -A INPUT -i '{{ main_bridge }}' -p udp --dport 123 -j ACCEPT
ipt6 -A INPUT -i '{{ main_bridge }}' -p udp --dport 123 -j ACCEPT
ipt4 -A INPUT -i {{ main_bridge }} -p udp --dport 67:68 -j ACCEPT
ipt4 -A INPUT -i '{{ main_bridge }}' -p udp --dport 67:68 -j ACCEPT
......@@ -2,7 +2,7 @@
# Copy default route
if [ "$IFACE" = "{{ ansible_default_ipv4.interface }}" ]; then
if [ -z "$(ip -4 route list 0/0 table {{ ffhb_routing_table }} | grep '^default')" ]; then
ip -4 route list 0/0 | xargs ip route add table {{ ffhb_routing_table }}
if ! ip -4 route list 0/0 table '{{ ffhb_routing_table }}' | grep q '^default'; then
ip -4 route list 0/0 | xargs ip route add table '{{ ffhb_routing_table }}'
fi
fi
#! /usr/bin/env sh
# {{ ansible_managed }}
exec /sbin/ip route add default dev "$1" table {{ ffhb_routing_table }}
exec /sbin/ip route add default dev "$1" table '{{ ffhb_routing_table }}'
#! /usr/bin/env bash
# {{ ansible_managed }}
/sbin/ip route add "$trusted_ip" via "$route_net_gateway"
/sbin/ip route add default via "$route_vpn_gateway" dev "$1" table {{ ffhb_routing_table }}
# shellcheck disable=SC2154
{
/sbin/ip route add "$trusted_ip" via "$route_net_gateway"
/sbin/ip route add default via "$route_vpn_gateway" dev "$1" table '{{ ffhb_routing_table }}'
}
ipt6 -A FORWARD -i {{ main_bridge }} -o {{ exit_ipv6_interface }} -j ACCEPT
ipt6 -A FORWARD -o {{ main_bridge }} -i {{ exit_ipv6_interface }} -j ACCEPT
ipt6 -A FORWARD -i {{ main_bridge }} -o {{ main_bridge }} -j ACCEPT
ipt6 -A FORWARD -i '{{ main_bridge }}' -o '{{ exit_ipv6_interface }}' -j ACCEPT
ipt6 -A FORWARD -o '{{ main_bridge }}' -i '{{ exit_ipv6_interface }}' -j ACCEPT
ipt6 -A FORWARD -i '{{ main_bridge }}' -o '{{ main_bridge }}' -j ACCEPT
ipt -A INPUT -p ipv6 -j ACCEPT
ipt6 -A INPUT -p udp --dport {{ fastd_port }} -s 2002::/16 -j REJECT --reject-with icmp6-adm-prohibited
ipt -A INPUT -p udp --dport {{ fastd_port }} -j ACCEPT
ipt6 -A INPUT -p udp --dport '{{ fastd_port }}' -s 2002::/16 -j REJECT --reject-with icmp6-adm-prohibited
ipt -A INPUT -p udp --dport '{{ fastd_port }}' -j ACCEPT
......@@ -47,6 +47,7 @@ ipt6() {
case "$1" in
start|restart)
for rule in "$RULEPATH"/*; do
# shellcheck disable=SC1090
. "$rule"
done
;;
......
ipt -A FORWARD -i {{ icvpn_interface }} -o {{ main_bridge }} -j ACCEPT
ipt -A FORWARD -o {{ icvpn_interface }} -i {{ main_bridge }} -j ACCEPT
ipt -A FORWARD -i '{{ icvpn_interface }}' -o '{{ main_bridge }}' -j ACCEPT
ipt -A FORWARD -o '{{ icvpn_interface }}' -i '{{ main_bridge }}' -j ACCEPT
ipt -A INPUT -p tcp --dport {{ icvpn_port }} -j ACCEPT
ipt -A INPUT -p udp --dport {{ icvpn_port }} -j ACCEPT
ipt -A INPUT -p tcp --dport '{{ icvpn_port }}' -j ACCEPT
ipt -A INPUT -p udp --dport '{{ icvpn_port }}' -j ACCEPT
ipt6 -A INPUT -i {{ main_bridge }} -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i vpn-{{ site_code }}-legacy -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i vpn-{{ site_code }} -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i '{{ main_bridge }}' -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i 'vpn-{{ site_code }}-legacy' -p udp --dport 1001 -j ACCEPT
ipt6 -A INPUT -i 'vpn-{{ site_code }}' -p udp --dport 1001 -j ACCEPT
......@@ -12,8 +12,8 @@ fi
git -C "$DNS_ZONES_FOLDER" pull
for DNS_ZONE in ${DNS_ZONES_FOLDER}/*.zone; do
if ! nsd-checkzone "$(basename ${DNS_ZONE} '.zone')" "${DNS_ZONE}"; then
for DNS_ZONE in "${DNS_ZONES_FOLDER}/"*.zone; do
if ! nsd-checkzone "$(basename "$DNS_ZONE" '.zone')" "$DNS_ZONE"; then
continue
fi
......@@ -23,8 +23,8 @@ for DNS_ZONE in ${DNS_ZONES_FOLDER}/*.zone; do
nsd-control reconfig >/dev/null
# Reload zone
nsd-control reload "$(basename ${DNS_ZONE} '.zone')"
nsd-control reload "$(basename "$DNS_ZONE" '.zone')"
# Notify slaves about changed zones
nsd-control notify "$(basename ${DNS_ZONE} '.zone')"
nsd-control notify "$(basename "$DNS_ZONE" '.zone')"
done
ipt -A INPUT -i {{ icvpn_interface }} -p tcp --dport 179 -j ACCEPT
ipt -A INPUT -i {{ main_bridge }} -p tcp --dport 179 -j ACCEPT
ipt -A INPUT -i '{{ icvpn_interface }}' -p tcp --dport 179 -j ACCEPT
ipt -A INPUT -i '{{ main_bridge }}' -p tcp --dport 179 -j ACCEPT
......@@ -8,7 +8,7 @@
- name: Load modules needed for sysctl configs early
lineinfile:
dest: /etc/modules
line: nf_conntrack_ipv4
line: nf_conntrack
- name: Setting hostname
hostname:
......
remote-control:
control-enable: yes
control-interface: /run/unbound.sock
......@@ -5,21 +5,9 @@
- name: Copy Configuration
copy:
src: "{{ item }}"
dest: "/etc/unbound/unbound.conf.d/{{ item }}"
src: "unbound.conf.d/"
dest: "/etc/unbound/unbound.conf.d/"
mode: 0644
with_items:
- caching-timeouts.conf
- caching-tweaking.conf
- disable-dnssec.conf
- edns-buffer-size.conf
- harden-glue.conf
- hide-version.conf
- jostle-timeout.conf
- minimal-responses.conf
- no-logging.conf
- number-of-threads.conf
- root-hints.conf
notify: restart unbound
- name: Fix unbound default config
......
#! /usr/bin/env sh
# shellcheck disable=SC1091
. /etc/profile
set -eu
......
#!/bin/sh
SCRIPT_DIR="$( cd "$( dirname "$0" )" && pwd )"
gpg --batch --use-agent --decrypt $SCRIPT_DIR"/../"vault_passphrase.gpg
gpg --batch --use-agent --decrypt "${SCRIPT_DIR}/../vault_passphrase.gpg"
......@@ -8,10 +8,10 @@ SCRIPT_DIR="$( cd "$( dirname "$0" )" && pwd )"
$SCRIPT_DIR/open.sh | gpg -e \
"${SCRIPT_DIR}/open.sh" | gpg -e \
-r C54DA2BC5F66661B6C6E4A5B9D7D3C6BFF600C6A \
-r D7E72BFC9E133E0452DAFBCBB17F2106D8CCEC27 \
-r 62D00A6960AC2256A24240BCD568B1E5EB1A6E50 \
-o $SCRIPT_DIR"/../"vault_passphrase.gpg
-o "${SCRIPT_DIR}/../vault_passphrase.gpg"