diff --git a/hosts b/hosts index 158ad45..0a09cd0 100644 --- a/hosts +++ b/hosts @@ -3,6 +3,7 @@ gw11.regensburg.freifunk.net gw21.regensburg.freifunk.net gw31.regensburg.freifunk.net ns1.regensburg.freifunk.net +resolver.regensburg.freifunk.net stats.regensburg.freifunk.net web.regensburg.freifunk.net stats.ffrgb ansible_host=10.90.224.100 diff --git a/roles/dns_resolver/handlers/main.yml b/roles/dns_resolver/handlers/main.yml new file mode 100644 index 0000000..bba002e --- /dev/null +++ b/roles/dns_resolver/handlers/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Run acertmgr + command: /usr/bin/acertmgr + +- name: Restart powerdns + service: name=pdns-recursor state=restarted + +- name: Restart dnsdist + service: name=dnsdist state=restarted diff --git a/roles/dns_resolver/meta/main.yml b/roles/dns_resolver/meta/main.yml new file mode 100644 index 0000000..a456842 --- /dev/null +++ b/roles/dns_resolver/meta/main.yml @@ -0,0 +1,4 @@ +--- + +dependencies: +- { role: acertmgr } diff --git a/roles/dns_resolver/tasks/main.yml b/roles/dns_resolver/tasks/main.yml new file mode 100644 index 0000000..86d24a1 --- /dev/null +++ b/roles/dns_resolver/tasks/main.yml @@ -0,0 +1,41 @@ +--- + +- name: Enable powerdns apt-key + apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc' + +- name: Enable powerdns repository + apt_repository: repo='deb http://repo.powerdns.com/debian buster-dnsdist-15 main' + +- name: Install powerdns + apt: + name: + - dnsdist + - pdns-recursor + +- name: Ensure certificates are available + command: + cmd: > + openssl req -x509 -nodes -newkey rsa:2048 + -keyout /etc/dnsdist/{{ ansible_fqdn }}.key + -out /etc/dnsdist/{{ ansible_fqdn }}.crt + -days 730 -subj "/CN={{ ansible_fqdn }}" + creates: /etc/dnsdist/{{ ansible_fqdn }}.crt + notify: Restart dnsdist + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf + notify: Run acertmgr + +- name: Configure powerdns + template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf + notify: Restart powerdns + +- name: Configure dnsdist + template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf + notify: Restart dnsdist + +- name: Start the dns services + service: name={{ item }} state=started enabled=yes + with_items: + - dnsdist + - pdns-recursor diff --git a/roles/dns_resolver/templates/certs.j2 b/roles/dns_resolver/templates/certs.j2 new file mode 100644 index 0000000..0929f75 --- /dev/null +++ b/roles/dns_resolver/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ ansible_fqdn }}: +- path: /etc/dnsdist/{{ ansible_fqdn }}.crt + user: _dnsdist + group: _dnsdist + perm: '400' + format: crt,ca + action: '/usr/sbin/service dnsdist restart' +- path: /etc/dnsdist/{{ ansible_fqdn }}.key + user: _dnsdist + group: _dnsdist + perm: '400' + format: key + action: '/usr/sbin/service dnsdist restart' diff --git a/roles/dns_resolver/templates/dnsdist.conf.j2 b/roles/dns_resolver/templates/dnsdist.conf.j2 new file mode 100644 index 0000000..34438cb --- /dev/null +++ b/roles/dns_resolver/templates/dnsdist.conf.j2 @@ -0,0 +1,16 @@ +-- {{ ansible_managed }} + +setLocal('127.0.0.1') +addLocal('::1') +addLocal('{{ ansible_default_ipv4.address }}') +addLocal('{{ ansible_default_ipv6.address }}') + +newServer({address="127.0.0.1:5300", qps=1, name="localhost"}) + +addTLSLocal('127.0.0.1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') +addTLSLocal('::1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') +addTLSLocal('{{ ansible_default_ipv4.address }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') +addTLSLocal('{{ ansible_default_ipv6.address }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key') + +-- disable security status polling via DNS +setSecurityPollSuffix("") diff --git a/roles/dns_resolver/templates/recursor.conf.j2 b/roles/dns_resolver/templates/recursor.conf.j2 new file mode 100644 index 0000000..2c8b2c7 --- /dev/null +++ b/roles/dns_resolver/templates/recursor.conf.j2 @@ -0,0 +1,55 @@ +# {{ ansible_managed }} + +################################# +# allow-from If set, only allow these comma separated netmasks to recurse +# +#allow-from=127.0.0.0/8 + +################################# +# config-dir Location of configuration directory (recursor.conf) +# +config-dir=/etc/powerdns + +################################# +# dnssec DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate +# +# dnssec=process-no-validate +dnssec=off + +################################# +# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports. +# +local-address=127.0.0.1 + +################################# +# local-port port to listen on +# +local-port=5300 + +################################# +# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing +# +{% if global_ipv6 is defined %} +query-local-address6={{ global_ipv6 | ipaddr('address') }} +{% endif %} + +################################# +# quiet Suppress logging of questions and answers +# +quiet=yes + +################################# +# security-poll-suffix Domain name from which to query security update notifications +# +# security-poll-suffix=secpoll.powerdns.com. +security-poll-suffix= + +################################# +# setgid If set, change group id to this gid for more security +# +setgid=pdns + +################################# +# setuid If set, change user id to this uid for more security +# +setuid=pdns diff --git a/site.yml b/site.yml index b295878..4d5ba98 100644 --- a/site.yml +++ b/site.yml @@ -49,6 +49,11 @@ roles: - web_svc +- name: Setup resolver + hosts: resolver.regensburg.freifunk.net + roles: + - dns_resolver + - name: Setup stats server hosts: stats.ffrgb roles: