dns: use dedicated certificate for dnsdist

2020-11-05 18:54:01 +01:00 · 2020-11-05 18:54:01 +01:00 · ae6b1bc58a
commit ae6b1bc58a
parent 29627c5e36
4 changed files with 35 additions and 3 deletions
--- a/roles/dns/handlers/main.yml
+++ b/roles/dns/handlers/main.yml
@ -1,5 +1,8 @@
 ---

+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
 - name: Restart powerdns
  service: name={{ item }} state=restarted
  with_items:
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@ -14,6 +14,20 @@
    - pdns-recursor
    - pdns-server

+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/dnsdist/{{ ansible_fqdn }}.key
+      -out /etc/dnsdist/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  notify: Restart dnsdist
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
+  notify: Run acertmgr
+
 - name: Create zone directory
  file: path=/etc/powerdns/bind/ state=directory

--- a/roles/dns/templates/certs.j2
+++ b/roles/dns/templates/certs.j2
@ -0,0 +1,15 @@
+---
+
+{{ ansible_fqdn }}:
+- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service dnsdist restart'
+- path: /etc/dnsdist/{{ ansible_fqdn }}.key
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service dnsdist restart'
--- a/roles/dns/templates/dnsdist.conf.j2
+++ b/roles/dns/templates/dnsdist.conf.j2
@ -4,9 +4,9 @@ setLocal('127.0.0.1:5353')

 newServer({address="127.0.0.1", qps=1, name="localhost"})

-addTLSLocal('127.0.0.1','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
-addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
-addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key')
+addTLSLocal('127.0.0.1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')

 -- disable security status polling via DNS
 setSecurityPollSuffix("")