dns_resolver: new role for resolver only

2020-11-24 22:40:48 +01:00 · 2020-11-24 22:40:48 +01:00 · bf1b7e434d
commit bf1b7e434d
parent f882c6e41a
8 changed files with 147 additions and 0 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@ gw11.regensburg.freifunk.net
 gw21.regensburg.freifunk.net
 gw31.regensburg.freifunk.net
 ns1.regensburg.freifunk.net
 resolver.regensburg.freifunk.net
 stats.regensburg.freifunk.net
 web.regensburg.freifunk.net
 stats.ffrgb ansible_host=10.90.224.100
--- a/roles/dns_resolver/handlers/main.yml
+++ b/roles/dns_resolver/handlers/main.yml
@ -0,0 +1,10 @@
 ---
 - name: Run acertmgr
  command: /usr/bin/acertmgr
 - name: Restart powerdns
  service: name=pdns-recursor state=restarted
 - name: Restart dnsdist
  service: name=dnsdist state=restarted
--- a/roles/dns_resolver/meta/main.yml
+++ b/roles/dns_resolver/meta/main.yml
@ -0,0 +1,4 @@
 ---
 dependencies:
 - { role: acertmgr }
--- a/roles/dns_resolver/tasks/main.yml
+++ b/roles/dns_resolver/tasks/main.yml
@ -0,0 +1,41 @@
 ---
 - name: Enable powerdns apt-key
  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
 - name: Enable powerdns repository
  apt_repository: repo='deb http://repo.powerdns.com/debian buster-dnsdist-15 main'
 - name: Install powerdns
  apt:
    name:
    - dnsdist
    - pdns-recursor
 - name: Ensure certificates are available
  command:
    cmd: >
      openssl req -x509 -nodes -newkey rsa:2048
      -keyout /etc/dnsdist/{{ ansible_fqdn }}.key
      -out /etc/dnsdist/{{ ansible_fqdn }}.crt
      -days 730 -subj "/CN={{ ansible_fqdn }}"
    creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
  notify: Restart dnsdist
 - name: Configure certificate manager
  template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
  notify: Run acertmgr
 - name: Configure powerdns
  template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
  notify: Restart powerdns
 - name: Configure dnsdist
  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
  notify: Restart dnsdist
 - name: Start the dns services
  service: name={{ item }} state=started enabled=yes
  with_items:
  - dnsdist
  - pdns-recursor
--- a/roles/dns_resolver/templates/certs.j2
+++ b/roles/dns_resolver/templates/certs.j2
@ -0,0 +1,15 @@
 ---
 {{ ansible_fqdn }}:
 - path: /etc/dnsdist/{{ ansible_fqdn }}.crt
  user: _dnsdist
  group: _dnsdist
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service dnsdist restart'
 - path: /etc/dnsdist/{{ ansible_fqdn }}.key
  user: _dnsdist
  group: _dnsdist
  perm: '400'
  format: key
  action: '/usr/sbin/service dnsdist restart'
--- a/roles/dns_resolver/templates/dnsdist.conf.j2
+++ b/roles/dns_resolver/templates/dnsdist.conf.j2
@ -0,0 +1,16 @@
 -- {{ ansible_managed }}
 setLocal('127.0.0.1')
 addLocal('::1')
 addLocal('{{ ansible_default_ipv4.address }}')
 addLocal('{{ ansible_default_ipv6.address }}')
 newServer({address="127.0.0.1:5300", qps=1, name="localhost"})
 addTLSLocal('127.0.0.1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 addTLSLocal('::1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 addTLSLocal('{{ ansible_default_ipv4.address }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 addTLSLocal('{{ ansible_default_ipv6.address }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
 -- disable security status polling via DNS
 setSecurityPollSuffix("")
--- a/roles/dns_resolver/templates/recursor.conf.j2
+++ b/roles/dns_resolver/templates/recursor.conf.j2
@ -0,0 +1,55 @@
 # {{ ansible_managed }}
 #################################
 # allow-from    If set, only allow these comma separated netmasks to recurse
 #
 #allow-from=127.0.0.0/8
 #################################
 # config-dir    Location of configuration directory (recursor.conf)
 #
 config-dir=/etc/powerdns
 #################################
 # dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
 #
 # dnssec=process-no-validate
 dnssec=off
 #################################
 # local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
 #
 local-address=127.0.0.1
 #################################
 # local-port    port to listen on
 #
 local-port=5300
 #################################
 # query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
 #
 {% if global_ipv6 is defined %}
 query-local-address6={{ global_ipv6 | ipaddr('address') }}
 {% endif %}
 #################################
 # quiet Suppress logging of questions and answers
 #
 quiet=yes
 #################################
 # security-poll-suffix  Domain name from which to query security update notifications
 #
 # security-poll-suffix=secpoll.powerdns.com.
 security-poll-suffix=
 #################################
 # setgid        If set, change group id to this gid for more security
 #
 setgid=pdns
 #################################
 # setuid        If set, change user id to this uid for more security
 #
 setuid=pdns
--- a/site.yml
+++ b/site.yml
@ -49,6 +49,11 @@
  roles:
  - web_svc
 - name: Setup resolver
  hosts: resolver.regensburg.freifunk.net
  roles:
  - dns_resolver
 - name: Setup stats server
  hosts: stats.ffrgb
  roles: