wip: add auth_ns role

playbook.yml

@@ -18,6 +18,5 @@
   become: yes
   roles:
     - services
-    - role: ffhl_nameserver
-      tags: [nameserver]
-    
+    - role: ffhl_ns_auth
+      tags: [nameserver, nsauth]

roles/ffhl_nameserver/files/dnsdist/dnsdist.conf

@@ -6,10 +6,10 @@ setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
 
 webserver('0.0.0.0:8083', 'dnsdist', 'dnsdist')
 
-newServer({address='127.0.0.1:5300', pool='auth'})
-newServer({address='[::1]:5300', pool='auth'})
-newServer({address='127.0.0.1:5301', pool='recursor'})
-newServer({address='[::1]:5301', pool='recursor'})
+newServer({address='127.0.0.1:5300',  pool='auth'})
+newServer({address='[::1]:5300',      pool='auth'})
+newServer({address='127.0.0.1:5301',  pool='recursor'})
+newServer({address='[::1]:5301',      pool='recursor'})
 newServer({address="10.130.0.104:53", pool='ffdyndns'})
 
 -- todo use host_vars
@@ -20,9 +20,9 @@ recursive_ips:addMask('fdef:ffc0:3dd7::/48')
 recursive_ips:addMask('fe80::/10')
 recursive_ips:addMask('::1/128')
 
-addAction("ffdyn.net.", PoolAction('ffdyndns'))
+addAction("ffdyn.net.",                    PoolAction('ffdyndns'))
 addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
-addAction(AllRule(), PoolAction('auth'))
+addAction(AllRule(),                       PoolAction('auth'))
 
 -- disable security status
 setSecurityPollSuffix("")

roles/ffhl_ns_auth/files/bind/forward-zones.conf

+ffhl.=[::1]:5300
+ffhl.de.=[::1]:5300
+luebeck.freifunk.net.=[::1]:5300
++.=1.1.1.1

roles/ffhl_ns_auth/files/bind/named.conf.local

+zone "luebeck.freifunk.net" IN {
+    type master;
+    file "luebeck.freifunk.net.zone";
+};
+
+zone "ffhl.de" IN {
+    type master;
+    file "ffhl.de.zone";
+};
+
+zone "ffdyn.net" IN {
+    type master;
+    file "ffdyn.net.zone";
+};
+
+zone "ffhl" IN {
+    type master;
+    file "ffhl.zone";
+};

roles/ffhl_ns_auth/files/bind/named.conf.options

+options {
+    directory "/var/local/ffhl-dns";
+    dnssec-validation auto;
+    allow-transfer { none; };
+
+    // forwarders {
+    //      0.0.0.0;
+    // };
+
+    listen-on port 5300 { 127.0.0.1; };
+    listen-on-v6 port 5300 { ::1; };
+
+    allow-recursion {
+        10.130.0.0/16;
+        2001:67c:2d50::/48;
+        fdef:ffc0:3dd7::/48;
+        fe80::/64;
+    };
+};

roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service

+[Service]
+Type=oneshot
+ExecStart=/usr/local/lib/ffhl/update-dns.sh
\ No newline at end of file

roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer

+[Timer]
+OnCalendar=*:00/5
+
+[Install]
+WantedBy=multi-user.target

roles/ffhl_ns_auth/tasks/bind.yml

+---
+# - name: copy dnsdist configs
+#   copy:
+#     src: dnsdist
+#     dest: /etc/
+
+
+- name: copy bind configs
+  loop:
+    - named.conf.options
+    - named.conf.local
+  copy:
+    src: "bind/{{ item }}"
+    dest: "/etc/bind/{{ item }}"
+
+
+- name: remove old dns repo
+  file:
+    path: /var/local/ffhl-dns
+    state: absent
+
+
+# add update script
+- name: copy update script
+  template:
+    src: update-dns.sh
+    dest: /usr/local/lib/ffhl/
+    mode: 0775
+
+- name: copy systemd services and timers
+  copy:
+    src: systemd/
+    dest: /etc/systemd/system/
+
+- name: restart dns services
+  systemd:
+    daemon_reload: yes
+    enabled: yes
+    state: restarted
+    name: "{{ item }}"
+  loop:
+    - bind9.service
+    - dnsdist.service
+    - update-ffhl-dns.timer
+    - update-ffhl-dns.service

roles/ffhl_ns_auth/tasks/main.yml

+---
+
+
+
+- name: remove other dns services
+  tags: [dns]
+  apt:
+    state: absent
+    name:
+      - pdns-recursor
+      - pdns-server
+      - pdns-backend-bind
+
+
+- name: install packages
+  tags: [dns, bind]
+  apt:
+    state: present
+    name:
+      - bind9
+
+
+- name: installing bind
+  import_tasks: bind.yml
+  tags: [powerdns]

roles/ffhl_ns_auth/templates/update-dns.sh

+#!/bin/bash
+set -e
+
+DIR=$(mktemp -d)
+DEST="/var/local/ffhl-dns"
+REPO="{{ dns_repo_url }}"
+
+mkdir -p "$DEST"
+git clone "$REPO" "$DIR"
+git --git-dir="$DIR/.git" --work-tree="$DEST" reset --hard
+
+rm -rf "$DIR"
+
+chown -R bind:bind "$DEST"
+
+# if this script is started by ansible, named was restarted just before this service
+# we need to give named some time to startup
+sleep 5
+
+systemctl reload named.service