From ae6b1bc58a8e9ba4a3b73aca6fa8564909e52e14 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Thu, 5 Nov 2020 18:54:01 +0100 Subject: [PATCH] dns: use dedicated certificate for dnsdist --- roles/dns/handlers/main.yml | 3 +++ roles/dns/tasks/main.yml | 14 ++++++++++++++ roles/dns/templates/certs.j2 | 15 +++++++++++++++ roles/dns/templates/dnsdist.conf.j2 | 6 +++--- 4 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 roles/dns/templates/certs.j2 diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml index 95f9ada..dcdb5a0 100644 --- a/roles/dns/handlers/main.yml +++ b/roles/dns/handlers/main.yml @@ -1,5 +1,8 @@ --- +- name: Run acertmgr + command: /usr/bin/acertmgr + - name: Restart powerdns service: name={{ item }} state=restarted with_items: diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index e0e0eba..4472e7f 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -14,6 +14,20 @@ - pdns-recursor - pdns-server +- name: Ensure certificates are available + command: + cmd: > + openssl req -x509 -nodes -newkey rsa:2048 + -keyout /etc/dnsdist/{{ ansible_fqdn }}.key + -out /etc/dnsdist/{{ ansible_fqdn }}.crt + -days 730 -subj "/CN={{ ansible_fqdn }}" + creates: /etc/dnsdist/{{ ansible_fqdn }}.crt + notify: Restart dnsdist + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf + notify: Run acertmgr + - name: Create zone directory file: path=/etc/powerdns/bind/ state=directory diff --git a/roles/dns/templates/certs.j2 b/roles/dns/templates/certs.j2 new file mode 100644 index 0000000..0929f75 --- /dev/null +++ b/roles/dns/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ ansible_fqdn }}: +- path: /etc/dnsdist/{{ ansible_fqdn }}.crt + user: _dnsdist + group: _dnsdist + perm: '400' + format: crt,ca + action: '/usr/sbin/service dnsdist restart' +- path: /etc/dnsdist/{{ ansible_fqdn }}.key + user: _dnsdist + group: _dnsdist + perm: '400' + format: key + action: '/usr/sbin/service dnsdist restart' diff --git a/roles/dns/templates/dnsdist.conf.j2 b/roles/dns/templates/dnsdist.conf.j2 index 440bd88..5ec5687 100644 --- a/roles/dns/templates/dnsdist.conf.j2 +++ b/roles/dns/templates/dnsdist.conf.j2 @@ -4,9 +4,9 @@ setLocal('127.0.0.1:5353') newServer({address="127.0.0.1", qps=1, name="localhost"}) -addTLSLocal('127.0.0.1','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key') -addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key') -addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}','/etc/nginx/ssl/{{ ansible_fqdn }}.crt', '/etc/nginx/ssl/{{ ansible_fqdn }}.key') +addTLSLocal('127.0.0.1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') +addTLSLocal('{{ batman_ipv4 | ipaddr('address') }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') +addTLSLocal('{{ batman_ipv6 | ipaddr('address') }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') -- disable security status polling via DNS setSecurityPollSuffix("")