From 6db7d81a9b418a651db23814ae1f76b11b73fbee Mon Sep 17 00:00:00 2001
From: Paul Maruhn <paulmaruhn@posteo.de>
Date: Tue, 4 Jan 2022 16:43:14 +0100
Subject: [PATCH] wip: add auth_ns role

---
 playbook.yml                                  |  5 +--
 .../files/dnsdist/dnsdist.conf                | 12 ++---
 .../files/bind/forward-zones.conf             |  4 ++
 .../ffhl_ns_auth/files/bind/named.conf.local  | 19 ++++++++
 .../files/bind/named.conf.options             | 19 ++++++++
 .../files/systemd/update-ffhl-dns.service     |  3 ++
 .../files/systemd/update-ffhl-dns.timer       |  5 +++
 roles/ffhl_ns_auth/tasks/bind.yml             | 45 +++++++++++++++++++
 roles/ffhl_ns_auth/tasks/main.yml             | 25 +++++++++++
 roles/ffhl_ns_auth/templates/update-dns.sh    | 20 +++++++++
 10 files changed, 148 insertions(+), 9 deletions(-)
 create mode 100644 roles/ffhl_ns_auth/files/bind/forward-zones.conf
 create mode 100644 roles/ffhl_ns_auth/files/bind/named.conf.local
 create mode 100644 roles/ffhl_ns_auth/files/bind/named.conf.options
 create mode 100644 roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service
 create mode 100644 roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer
 create mode 100644 roles/ffhl_ns_auth/tasks/bind.yml
 create mode 100644 roles/ffhl_ns_auth/tasks/main.yml
 create mode 100644 roles/ffhl_ns_auth/templates/update-dns.sh

diff --git a/playbook.yml b/playbook.yml
index 49ab3ca..d4000f5 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -18,6 +18,5 @@
   become: yes
   roles:
     - services
-    - role: ffhl_nameserver
-      tags: [nameserver]
-    
+    - role: ffhl_ns_auth
+      tags: [nameserver, nsauth]
diff --git a/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf b/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
index ecbee8a..371263d 100644
--- a/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
+++ b/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
@@ -6,10 +6,10 @@ setACL({'0.0.0.0/0', '::/0'}) -- Allow all IPs access
 
 webserver('0.0.0.0:8083', 'dnsdist', 'dnsdist')
 
-newServer({address='127.0.0.1:5300', pool='auth'})
-newServer({address='[::1]:5300', pool='auth'})
-newServer({address='127.0.0.1:5301', pool='recursor'})
-newServer({address='[::1]:5301', pool='recursor'})
+newServer({address='127.0.0.1:5300',  pool='auth'})
+newServer({address='[::1]:5300',      pool='auth'})
+newServer({address='127.0.0.1:5301',  pool='recursor'})
+newServer({address='[::1]:5301',      pool='recursor'})
 newServer({address="10.130.0.104:53", pool='ffdyndns'})
 
 -- todo use host_vars
@@ -20,9 +20,9 @@ recursive_ips:addMask('fdef:ffc0:3dd7::/48')
 recursive_ips:addMask('fe80::/10')
 recursive_ips:addMask('::1/128')
 
-addAction("ffdyn.net.", PoolAction('ffdyndns'))
+addAction("ffdyn.net.",                    PoolAction('ffdyndns'))
 addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
-addAction(AllRule(), PoolAction('auth'))
+addAction(AllRule(),                       PoolAction('auth'))
 
 -- disable security status
 setSecurityPollSuffix("")
diff --git a/roles/ffhl_ns_auth/files/bind/forward-zones.conf b/roles/ffhl_ns_auth/files/bind/forward-zones.conf
new file mode 100644
index 0000000..f083573
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/bind/forward-zones.conf
@@ -0,0 +1,4 @@
+ffhl.=[::1]:5300
+ffhl.de.=[::1]:5300
+luebeck.freifunk.net.=[::1]:5300
++.=1.1.1.1
diff --git a/roles/ffhl_ns_auth/files/bind/named.conf.local b/roles/ffhl_ns_auth/files/bind/named.conf.local
new file mode 100644
index 0000000..db701e1
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/bind/named.conf.local
@@ -0,0 +1,19 @@
+zone "luebeck.freifunk.net" IN {
+    type master;
+    file "luebeck.freifunk.net.zone";
+};
+
+zone "ffhl.de" IN {
+    type master;
+    file "ffhl.de.zone";
+};
+
+zone "ffdyn.net" IN {
+    type master;
+    file "ffdyn.net.zone";
+};
+
+zone "ffhl" IN {
+    type master;
+    file "ffhl.zone";
+};
diff --git a/roles/ffhl_ns_auth/files/bind/named.conf.options b/roles/ffhl_ns_auth/files/bind/named.conf.options
new file mode 100644
index 0000000..39030f0
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/bind/named.conf.options
@@ -0,0 +1,19 @@
+options {
+    directory "/var/local/ffhl-dns";
+    dnssec-validation auto;
+    allow-transfer { none; };
+
+    // forwarders {
+    //      0.0.0.0;
+    // };
+
+    listen-on port 5300 { 127.0.0.1; };
+    listen-on-v6 port 5300 { ::1; };
+
+    allow-recursion {
+        10.130.0.0/16;
+        2001:67c:2d50::/48;
+        fdef:ffc0:3dd7::/48;
+        fe80::/64;
+    };
+};
diff --git a/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service
new file mode 100644
index 0000000..2fe5763
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.service
@@ -0,0 +1,3 @@
+[Service]
+Type=oneshot
+ExecStart=/usr/local/lib/ffhl/update-dns.sh
\ No newline at end of file
diff --git a/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer
new file mode 100644
index 0000000..0112ec8
--- /dev/null
+++ b/roles/ffhl_ns_auth/files/systemd/update-ffhl-dns.timer
@@ -0,0 +1,5 @@
+[Timer]
+OnCalendar=*:00/5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/ffhl_ns_auth/tasks/bind.yml b/roles/ffhl_ns_auth/tasks/bind.yml
new file mode 100644
index 0000000..01d1798
--- /dev/null
+++ b/roles/ffhl_ns_auth/tasks/bind.yml
@@ -0,0 +1,45 @@
+---
+# - name: copy dnsdist configs
+#   copy:
+#     src: dnsdist
+#     dest: /etc/
+
+
+- name: copy bind configs
+  loop:
+    - named.conf.options
+    - named.conf.local
+  copy:
+    src: "bind/{{ item }}"
+    dest: "/etc/bind/{{ item }}"
+
+
+- name: remove old dns repo
+  file:
+    path: /var/local/ffhl-dns
+    state: absent
+
+
+# add update script
+- name: copy update script
+  template:
+    src: update-dns.sh
+    dest: /usr/local/lib/ffhl/
+    mode: 0775
+
+- name: copy systemd services and timers
+  copy:
+    src: systemd/
+    dest: /etc/systemd/system/
+
+- name: restart dns services
+  systemd:
+    daemon_reload: yes
+    enabled: yes
+    state: restarted
+    name: "{{ item }}"
+  loop:
+    - bind9.service
+    - dnsdist.service
+    - update-ffhl-dns.timer
+    - update-ffhl-dns.service
diff --git a/roles/ffhl_ns_auth/tasks/main.yml b/roles/ffhl_ns_auth/tasks/main.yml
new file mode 100644
index 0000000..663f4bd
--- /dev/null
+++ b/roles/ffhl_ns_auth/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+
+
+
+- name: remove other dns services
+  tags: [dns]
+  apt:
+    state: absent
+    name:
+      - pdns-recursor
+      - pdns-server
+      - pdns-backend-bind
+
+
+- name: install packages
+  tags: [dns, bind]
+  apt:
+    state: present
+    name:
+      - bind9
+
+
+- name: installing bind
+  import_tasks: bind.yml
+  tags: [powerdns]
diff --git a/roles/ffhl_ns_auth/templates/update-dns.sh b/roles/ffhl_ns_auth/templates/update-dns.sh
new file mode 100644
index 0000000..ea4eef1
--- /dev/null
+++ b/roles/ffhl_ns_auth/templates/update-dns.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+set -e
+
+DIR=$(mktemp -d)
+DEST="/var/local/ffhl-dns"
+REPO="{{ dns_repo_url }}"
+
+mkdir -p "$DEST"
+git clone "$REPO" "$DIR"
+git --git-dir="$DIR/.git" --work-tree="$DEST" reset --hard
+
+rm -rf "$DIR"
+
+chown -R bind:bind "$DEST"
+
+# if this script is started by ansible, named was restarted just before this service
+# we need to give named some time to startup
+sleep 5
+
+systemctl reload named.service
-- 
GitLab