dns_resolver: new role for resolver only

2020-11-24 22:40:48 +01:00 · 2020-11-24 22:40:48 +01:00 · bf1b7e434d
commit bf1b7e434d
parent f882c6e41a
8 changed files with 147 additions and 0 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@ gw11.regensburg.freifunk.net
 gw21.regensburg.freifunk.net
 gw31.regensburg.freifunk.net
 ns1.regensburg.freifunk.net
+resolver.regensburg.freifunk.net
 stats.regensburg.freifunk.net
 web.regensburg.freifunk.net
 stats.ffrgb ansible_host=10.90.224.100
--- a/roles/dns_resolver/handlers/main.yml
+++ b/roles/dns_resolver/handlers/main.yml
@ -0,0 +1,10 @@
+---
+
+- name: Run acertmgr
+  command: /usr/bin/acertmgr
+
+- name: Restart powerdns
+  service: name=pdns-recursor state=restarted
+
+- name: Restart dnsdist
+  service: name=dnsdist state=restarted
--- a/roles/dns_resolver/meta/main.yml
+++ b/roles/dns_resolver/meta/main.yml
@ -0,0 +1,4 @@
+---
+
+dependencies:
+- { role: acertmgr }
--- a/roles/dns_resolver/tasks/main.yml
+++ b/roles/dns_resolver/tasks/main.yml
@ -0,0 +1,41 @@
+---
+
+- name: Enable powerdns apt-key
+  apt_key: url='https://repo.powerdns.com/FD380FBB-pub.asc'
+
+- name: Enable powerdns repository
+  apt_repository: repo='deb http://repo.powerdns.com/debian buster-dnsdist-15 main'
+
+- name: Install powerdns
+  apt:
+    name:
+    - dnsdist
+    - pdns-recursor
+
+- name: Ensure certificates are available
+  command:
+    cmd: >
+      openssl req -x509 -nodes -newkey rsa:2048
+      -keyout /etc/dnsdist/{{ ansible_fqdn }}.key
+      -out /etc/dnsdist/{{ ansible_fqdn }}.crt
+      -days 730 -subj "/CN={{ ansible_fqdn }}"
+    creates: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  notify: Restart dnsdist
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acertmgr/{{ ansible_fqdn }}_dns.conf
+  notify: Run acertmgr
+
+- name: Configure powerdns
+  template: src=recursor.conf.j2 dest=/etc/powerdns/recursor.conf
+  notify: Restart powerdns
+
+- name: Configure dnsdist
+  template: src=dnsdist.conf.j2 dest=/etc/dnsdist/dnsdist.conf
+  notify: Restart dnsdist
+
+- name: Start the dns services
+  service: name={{ item }} state=started enabled=yes
+  with_items:
+  - dnsdist
+  - pdns-recursor
--- a/roles/dns_resolver/templates/certs.j2
+++ b/roles/dns_resolver/templates/certs.j2
@ -0,0 +1,15 @@
+---
+
+{{ ansible_fqdn }}:
+- path: /etc/dnsdist/{{ ansible_fqdn }}.crt
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service dnsdist restart'
+- path: /etc/dnsdist/{{ ansible_fqdn }}.key
+  user: _dnsdist
+  group: _dnsdist
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service dnsdist restart'
--- a/roles/dns_resolver/templates/dnsdist.conf.j2
+++ b/roles/dns_resolver/templates/dnsdist.conf.j2
@ -0,0 +1,16 @@
+-- {{ ansible_managed }}
+
+setLocal('127.0.0.1')
+addLocal('::1')
+addLocal('{{ ansible_default_ipv4.address }}')
+addLocal('{{ ansible_default_ipv6.address }}')
+
+newServer({address="127.0.0.1:5300", qps=1, name="localhost"})
+
+addTLSLocal('127.0.0.1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+addTLSLocal('::1','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ ansible_default_ipv4.address }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+addTLSLocal('{{ ansible_default_ipv6.address }}','/etc/dnsdist/{{ ansible_fqdn }}.crt', '/etc/dnsdist/{{ ansible_fqdn }}.key')
+
+-- disable security status polling via DNS
+setSecurityPollSuffix("")
--- a/roles/dns_resolver/templates/recursor.conf.j2
+++ b/roles/dns_resolver/templates/recursor.conf.j2
@ -0,0 +1,55 @@
+# {{ ansible_managed }}
+
+#################################
+# allow-from    If set, only allow these comma separated netmasks to recurse
+#
+#allow-from=127.0.0.0/8
+
+#################################
+# config-dir    Location of configuration directory (recursor.conf)
+#
+config-dir=/etc/powerdns
+
+#################################
+# dnssec        DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate
+#
+# dnssec=process-no-validate
+dnssec=off
+
+#################################
+# local-address IP addresses to listen on, separated by spaces or commas. Also accepts ports.
+#
+local-address=127.0.0.1
+
+#################################
+# local-port    port to listen on
+#
+local-port=5300
+
+#################################
+# query-local-address6 Send out local IPv6 queries from this address or addresses. Disabled by default, which also disables outgoing
+#
+{% if global_ipv6 is defined %}
+query-local-address6={{ global_ipv6 | ipaddr('address') }}
+{% endif %}
+
+#################################
+# quiet Suppress logging of questions and answers
+#
+quiet=yes
+
+#################################
+# security-poll-suffix  Domain name from which to query security update notifications
+#
+# security-poll-suffix=secpoll.powerdns.com.
+security-poll-suffix=
+
+#################################
+# setgid        If set, change group id to this gid for more security
+#
+setgid=pdns
+
+#################################
+# setuid        If set, change user id to this uid for more security
+#
+setuid=pdns
--- a/site.yml
+++ b/site.yml
@ -49,6 +49,11 @@
  roles:
  - web_svc

+- name: Setup resolver
+  hosts: resolver.regensburg.freifunk.net
+  roles:
+  - dns_resolver
+
 - name: Setup stats server
  hosts: stats.ffrgb
  roles: