refactor roles

82e793ff · Paul · dbe418a1 · 82e793ff · 82e793ff · 82e793ff
Commit 82e793ff authored May 03, 2022 by Paul
--- a/ansible.cfg
+++ b/ansible.cfg
 [defaults]
-inventory=hosts.yml
+inventory=hosts
 vault_password_file=vault-password.txt

 [ssh_connection]

--- a/blackboxes.yml
+++ b/blackboxes.yml
+
+
+- hosts: blackboxes
+  become: true
+  roles:
+    - ffhl_access
+    - role: blackbox
+      tags: [blackbox, monitoring]
--- a/dns.yml
+++ b/dns.yml
+- hosts: dns-auth
+  become: true
+  roles:
+    - role: dns_common
+      tage: [dns_common, dns]
+    - role: dns_auth
+      tags: [dns_auth, dns]
--- a/playbook.yml
+++ b/playbook.yml
@@ -2,8 +2,8 @@
 - hosts: gateways:!holstentor
  become: true
  roles:
-    - role: prepare_ansible
-      tags: [prepare_ansible]
+    # - role: prepare_ansible
+    #   tags: [prepare_ansible]
    - role: ffhl_access
      tags: [ffhl_access]
    - role: base
@@ -16,27 +16,11 @@
      tags: [peering]
    - role: meshvpn
      tags: [meshvpn]
-    - role: ffhl_nameserver
-      tags: [ffhl_nameserver, nameserver]
+    - role: dns_common
+      tags: [dns_common, nameserver]


 # - hosts: kaisertor
 #   become: true
 #   roles:
 #     - icvpn
-
- hosts: srv02
-  become: true
-  roles:
-    - ffhl_access
-    - services
-    - role: ffhl_ns_auth
-      tags: [nameserver, nsauth]
-
-
- hosts: blackboxes
-  become: true
-  roles:
-    - ffhl_access
-    - role: blackbox
-      tags: [blackbox, monitoring]
--- a/group_vars/dns-auth.yml
+++ b/group_vars/dns-auth.yml
+records:
+  - {name: "@", type: A,    rdata: 5.9.249.24}
+  - {name: "@", type: AAAA, rdata: 2a01:4f8:262:48c2:1::3}
+
+  # nameserver
+  - {name: ns1, type: A,    rdata: 5.9.249.24}
+  - {name: ns1, type: AAAA, rdata: 2a01:4f8:262:48c2:1::3}
+  - {name: ns2, type: A,    rdata: 185.163.119.235}
+  - {name: ns2, type: AAAA, rdata: 2a03:4000:3b:53c:a4d4:5dff:fee7:d0e0}
+
+  - {name: nodes, type: NS, rdata: ns1}
+  - {name: nodes, type: NS, rdata: ns2}
+
+    # servers
+  - {name: srv02, type: A,     rdata: 5.9.249.24}
+  - {name: srv02, type: AAAA,  rdata: 2a01:4f8:262:48c2:1::3}
+  - {name: srv01, type: CNAME, rdata: srv02}
+  - {name: srv03, type: A,     rdata: 10.130.0.11}
+  - {name: srv03, type: AAAA,  rdata: 2001:67c:2d50::b}
+
+  - {name: srv04, type: A,    rdata: 10.130.0.13}
+  - {name: srv04, type: AAAA, rdata: 2001:67c:2d50::d}
+
+  - {name: blackbox01,    type: A,    rdata: 10.130.0.14}
+  - {name: blackbox01,    type: AAAA, rdata: 2001:67c:2d50::e}
+
+  - {name: blueberry,   type: A,    rdata: 10.130.0.101}
+  - {name: blueberry,   type: AAAA, rdata: 2001:67c:2d50::101}
+  - {name: strawberry,  type: A,    rdata: 10.130.0.102}
+  - {name: strawberry,  type: AAAA, rdata: 2001:67c:2d50::102}
+  - {name: srv03-tahoe, type: A,    rdata: 10.130.0.103}
+  - {name: srv03-tahoe, type: AAAA, rdata: 2001:67c:2d50::103}
+  - {name: dyndns,      type: A,    rdata: 10.130.0.104}
+  - {name: dyndns,      type: AAAA, rdata: 2001:67c:2d50::104}
+  - {name: mirror01,    type: A,    rdata: 10.130.0.105}
+  - {name: mirror01,    type: AAAA, rdata: 2001:67c:2d50::105}
+  - {name: docker01,    type: A,    rdata: 10.130.0.106}
+  - {name: docker01,    type: AAAA, rdata: 2001:67c:2d50::106}
+
+  - {name: holstentor,   type: AAAA, rdata: 2001:67c:2d50::ccaa}
+  - {name: holstentor,   type: A,    rdata: 10.130.0.253}
+  - {name: muehlentor,   type: AAAA, rdata: 2001:67c:2d50::ddaa}
+  - {name: muehlentor,   type: A,    rdata: 10.130.0.254}
+  - {name: kaisertor,    type: AAAA, rdata: 2001:67c:2d50::aaaa}
+  - {name: kaisertor,    type: A,    rdata: 10.130.0.255}
+  - {name: huextertor,   type: AAAA, rdata: 2001:67c:2d50::bbaa}
+  - {name: huextertor,   type: A,    rdata: 10.130.0.252}
+  - {name: 4.huextertor, type: A,    rdata: 10.130.0.252}
+  - {name: 4.muehlentor, type: A,    rdata: 10.130.0.254}
+  - {name: 4.holstentor, type: A,    rdata: 10.130.0.253}
+  - {name: 4.kaisertor,  type: A,    rdata: 10.130.0.255}
+  - {name: 6.holstentor, type: AAAA, rdata: 2001:67c:2d50::ccaa}
+  - {name: 6.muehlentor, type: AAAA, rdata: 2001:67c:2d50::ddaa}
+  - {name: 6.kaisertor,  type: AAAA, rdata: 2001:67c:2d50::aaaa}
+  - {name: 6.huextertor, type: AAAA, rdata: 2001:67c:2d50::bbaa}
+
+  # Test Gateway
+  - {name: wg01, type: A, rdata: 5.9.249.27}
+  - {name: wg01, type: AAAA, rdata: 2a01:4f8:172:1ba6:1::20}
+
+
+  # services
+  - {name: www,                type: CNAME, rdata: srv02}
+  - {name: map,                type: CNAME, rdata: srv02}
+  - {name: map2,               type: CNAME, rdata: srv02}
+  - {name: firmware,           type: CNAME, rdata: srv02}
+  - {name: mirror01.firmware,  type: CNAME, rdata: mirror01}
+  - {name: git,                type: CNAME, rdata: srv02}
+  - {name: wiki,               type: CNAME, rdata: srv02}
+  - {name: monitor,            type: CNAME, rdata: srv02}
+  - {name: status,             type: CNAME, rdata: srv02}
+  - {name: peertube,           type: CNAME, rdata: blueberry}
+  - {name: up,                 type: CNAME, rdata: blueberry}
+  - {name: yourservice,        type: NS,    rdata: srv02.luebeck.freifunk.net.}
+  - {name: backbone,           type: CNAME, rdata: srv02}
+  - {name: monitoring.net,     type: AAAA,  rdata: 2001:67c:2d50::f}
+  - {name: 1.introducer.tahoe, type: CNAME, rdata: srv04}
+  - {name: 2.introducer.tahoe, type: CNAME, rdata: srv03-tahoe}
+  - {name: anycastdns,         type: AAAA,  rdata: 2001:67c:2d50:1::a82:7fe0}
+  - {name: node,               type: A,     rdata: 10.130.0.1}
+  - {name: node,               type: AAAA,  rdata: fdef:ffc0:3dd7::1}
+  - {name: opkg.services,      type: CNAME, rdata: firmware}
--- a/host_vars/srv02.yml
+++ b/host_vars/srv02.yml
+ansible_ssh_host: srv02.luebeck.freifunk.net
--- a/hosts
+++ b/hosts
@@ -5,12 +5,15 @@ ansible_ssh_user=root
 [gateways]
 kaisertor
 huextertor
-holstentor
 muehlentor
 gw05

+[dns-auth]
+srv02
+huextertor
+
 [service_hosts]
-srv02 ansible_ssh_host=srv02.luebeck.freifunk.net
+srv02

 [blackboxes]
-blackbox ansible_ssh_host=blackbox.luebeck.freifunk.net
+blackbox01 ansible_ssh_host=blackbox01.ffhl.de
--- a/main.yml
+++ b/main.yml
+---
+
+- name: gateways
+  import_playbook: gateways.yml
+
+- name: dns
+  import_playbook: dns.yml
+
+- name: services
+  import_playbook: services.yml
+
+- name: blackboxes
+  import_playbook: blackboxes.yml
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
 ---

 - name: reload sysctl
-  sysctl:
-    reload: true
+  command: sysctl -p

 - name: reload systemd
  systemd:

--- a/roles/ffhl_ns_auth/files/bind/named.conf.local
+++ b/roles/ffhl_ns_auth/files/bind/named.conf.local
-zone "luebeck.freifunk.net" IN {
-    type master;
-    file "ffhl/luebeck.freifunk.net.zone";
-};
-
-zone "ffhl.de" IN {
+zone "ffhl" IN {
    type master;
-    file "ffhl/ffhl.de.zone";
+    file "ffhl/ffhl.db";
 };

-zone "ffdyn.net" IN {
+zone "luebeck.freifunk.net" IN {
    type master;
-    file "ffhl/ffdyn.net.zone";
+    file "ffhl/luebeck.freifunk.net.db";
 };

-zone "ffhl" IN {
+zone "ffhl.de" IN {
    type master;
-    file "ffhl/ffhl.zone";
+    file "ffhl/ffhl.de.db";
 };

 zone "nodes.ffhl.de" {
    type master;
-    file "nodes.zone";
+    file "ffhl/nodes.ffhl.de.db";
    allow-update {
        127.0.0.1 ;
        ::1 ;

--- a/roles/ffhl_ns_auth/files/bind/named.conf.options
+++ b/roles/ffhl_ns_auth/files/bind/named.conf.options
@@ -2,14 +2,21 @@ options {
    directory "/var/cache/bind";
    dnssec-validation auto;
    allow-transfer { none; };
+    allow-update { none; };
+    version none;
+    hostname none;
+    server-id none;
+    empty-zones-enable yes;
+    zone-statistics yes;
+
+    listen-on port 5300 { 127.0.0.1; };
+    listen-on-v6 port 5300 { ::1; };
+

    // forwarders {
    //      0.0.0.0;
    // };

-    listen-on port 5300 { 127.0.0.1; };
-    listen-on-v6 port 5300 { ::1; };
-
    allow-recursion {
        10.130.0.0/16;
        2001:67c:2d50::/48;
@@ -17,3 +24,8 @@ options {
        fe80::/64;
    };
 };
+
+
+statistics-channels {
+    inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
+};
--- a/roles/ffhl_ns_auth/handlers/main.yml
+++ b/roles/ffhl_ns_auth/handlers/main.yml
@@ -4,17 +4,13 @@
  systemd:
    daemon_reload: yes

- name: mirror zones
-  systemd:
-    state: restarted
-    name: update-ffhl-dns.service
+- name: freeze zones
+  command: rndc freeze

 - name: restart bind
  systemd:
    state: restarted
    name: bind9.service

- name: reload zones
-  systemd:
-    state: reload
-    name: bind9.service
+- name: thaw zones
+  command: rndc thaw
--- a/roles/dns_auth/tasks/main.yml
+++ b/roles/dns_auth/tasks/main.yml
+---
+
+# cleanup older roles
+
+- name: remove incompatible packages
+  tags: [dns, bind]
+  apt:
+    state: absent
+    name:
+      - pdns-server
+      - pdns-backend-bind
+
+
+- name: remove old dns update service
+  notify: reload systemd
+  file:
+    state: absent
+    path: /etc/systemd/system/{{ item }}
+  loop:
+    - update-ffhl-dns.service
+    - update-ffhl-dns.timer
+
+
+# setup
+
+- name: install packages
+  tags: [dns, bind]
+  apt:
+    state: present
+    name:
+      - bind9
+
+- name: copy bind configs
+  copy:
+    src: bind/{{ item }}
+    dest: /etc/bind
+  loop:
+    - named.conf.local
+    - named.conf.options
+
+- name: create zones directory
+  file:
+    state: directory
+    path: /var/cache/bind/ffhl
+    owner: bind
+    group: bind
+
+# weird jinja2 filters so we can use with_glob
+- name: generate zones
+  notify:
+    - freeze zones
+    - restart bind
+    - thaw zones
+  template:
+    src: "zones/{{ item | basename }}"
+    dest: /var/cache/bind/ffhl/{{ item | basename | regex_replace('^(.*)\.j2$', '\1') }}
+  with_fileglob:
+    - "../templates/zones/*"
--- a/roles/dns_auth/templates/zones/ffhl.db.j2
+++ b/roles/dns_auth/templates/zones/ffhl.db.j2
+$ORIGIN ffhl.
+$TTL 10m
+ffhl.  IN  SOA  srv02.ffhl. info.luebeck.freifunk.net. (
+              {{ ansible_date_time.epoch }} ; serial number of this zone file
+              1h         ; slave refresh
+              3m         ; slave retry time in case of a problem
+              1h         ; slave expiration time
+              1m         ; negative cache
+              )
+
+@ IN NS ns1.ffhl.
+  IN NS ns2.ffhl.
+
+$INCLUDE ffhl/zones.common.db
--- a/roles/dns_auth/templates/zones/ffhl.de.db.j2
+++ b/roles/dns_auth/templates/zones/ffhl.de.db.j2
+$ORIGIN ffhl.de.
+$TTL 300
+ffhl.de. IN SOA ns1.luebeck.freifunk.net. maschinenraum.luebeck.freifunk.net. (
+                {{ ansible_date_time.epoch }} ; serial number of this zone file
+                1h         ; slave refresh
+                15m        ; slave retry time in case of a problem
+                30d        ; slave expiration time
+                3m         ; negative cache
+                )
+
+@ NS ns1.ffhl.de.
+  NS ns2.ffhl.de.
+
+$INCLUDE ffhl/zones.common.db
--- a/roles/dns_auth/templates/zones/luebeck.freifunk.net.db.j2
+++ b/roles/dns_auth/templates/zones/luebeck.freifunk.net.db.j2
+$ORIGIN luebeck.freifunk.net.
+$TTL 300
+luebeck.freifunk.net.   IN  SOA     ns1.luebeck.freifunk.net. maschinenraum.luebeck.freifunk.net. (
+                        {{ ansible_date_time.epoch }} ; serial number of this zone file
+                        1h         ; slave refresh
+                        15m        ; slave retry time in case of a problem
+                        30d        ; slave expiration time
+                        3m         ; negative cache
+                        )
+
+@                       IN  NS    ns1.luebeck.freifunk.net.
+                        IN  NS    ns2.luebeck.freifunk.net.
+                        IN  MX    20 mail.chaotikum.net.
+
+$INCLUDE ffhl/zones.common.db
--- a/roles/dns_auth/templates/zones/nodes.ffhl.de.db.j2
+++ b/roles/dns_auth/templates/zones/nodes.ffhl.de.db.j2
+$ORIGIN nodes.ffhl.de.
+$TTL 300
+nodes.ffhl.de. IN SOA  ns1.luebeck.freifunk.net. info.luebeck.freifunk.net. (
+                      2016062805 ; serial
+                      3600       ; refresh (5 min)
+                      60         ; retry
+                      604800     ; expire (43 minutes 20 seconds)
+                      180        ; minimum (30 seconds)
+                      )
+@ NS      ns1.ffhl.de.
+  NS      ns2.ffhl.de.
+
+test AAAA 2001:67c:2d50::aaaa
--- a/roles/dns_auth/templates/zones/zones.common.db.j2
+++ b/roles/dns_auth/templates/zones/zones.common.db.j2
+
+{% for record in records %}
+{{ record.name }} IN {{ record.type }} {{ record.rdata }}
+{% endfor %}
--- a/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
+++ b/roles/ffhl_nameserver/files/dnsdist/dnsdist.conf
@@ -23,14 +23,16 @@ recursive_ips:addMask('::1/128')
 our_domains = newSuffixMatchNode()
 our_domains:add(newDNSName("luebeck.freifunk.net"))
 our_domains:add(newDNSName("ffhl.de"))
-our_domains:add(newDNSName("ffhl"))


-addAction("ffdyn.net.",                     PoolAction('ffdyndns'))
+-- always recurse for clients inside ffhl-network
+addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
+-- forward to dyndns nameserver
+addAction("ffdyn.net.", PoolAction('ffdyndns'))
+-- if request is for one of our domains answer with auth
 addAction(SuffixMatchNodeRule(our_domains), PoolAction('auth'))
-addAction(NetmaskGroupRule(recursive_ips),  PoolAction('recursor'))
 -- default action is to do nothing
-addAction(AllRule(),                        NoneAction())
+addAction(AllRule(), NoneAction())

 -- disable security status
 setSecurityPollSuffix("")
--- a/roles/ffhl_nameserver/files/powerdns/recursor.conf
+++ b/roles/ffhl_nameserver/files/powerdns/recursor.conf
@@ -2,7 +2,7 @@
 config-dir=/etc/powerdns
 include-dir=/etc/powerdns/recursor.d
 lua-config-file=/etc/powerdns/recursor.lua
-quiet=yes
+quiet=no
 loglevel=5
 security-poll-suffix=
 hint-file=/usr/share/dns/root.hints
@@ -12,4 +12,3 @@ webserver-allow-from=10.130.0.10/32
 local-port=5301
 local-address=127.0.0.1 ::1
 allow-from=127.0.0.1/32, ::1/128
-forward-zones-file=/etc/powerdns/forward-zones.conf