Commit 82e793ff authored by Paul's avatar Paul
Browse files

refactor roles

parent dbe418a1
Pipeline #5340 passed with stage
in 1 minute and 56 seconds
[defaults]
inventory=hosts.yml
inventory=hosts
vault_password_file=vault-password.txt
[ssh_connection]
......
- hosts: blackboxes
become: true
roles:
- ffhl_access
- role: blackbox
tags: [blackbox, monitoring]
- hosts: dns-auth
become: true
roles:
- role: dns_common
tage: [dns_common, dns]
- role: dns_auth
tags: [dns_auth, dns]
......@@ -2,8 +2,8 @@
- hosts: gateways:!holstentor
become: true
roles:
- role: prepare_ansible
tags: [prepare_ansible]
# - role: prepare_ansible
# tags: [prepare_ansible]
- role: ffhl_access
tags: [ffhl_access]
- role: base
......@@ -16,27 +16,11 @@
tags: [peering]
- role: meshvpn
tags: [meshvpn]
- role: ffhl_nameserver
tags: [ffhl_nameserver, nameserver]
- role: dns_common
tags: [dns_common, nameserver]
# - hosts: kaisertor
# become: true
# roles:
# - icvpn
- hosts: srv02
become: true
roles:
- ffhl_access
- services
- role: ffhl_ns_auth
tags: [nameserver, nsauth]
- hosts: blackboxes
become: true
roles:
- ffhl_access
- role: blackbox
tags: [blackbox, monitoring]
records:
- {name: "@", type: A, rdata: 5.9.249.24}
- {name: "@", type: AAAA, rdata: 2a01:4f8:262:48c2:1::3}
# nameserver
- {name: ns1, type: A, rdata: 5.9.249.24}
- {name: ns1, type: AAAA, rdata: 2a01:4f8:262:48c2:1::3}
- {name: ns2, type: A, rdata: 185.163.119.235}
- {name: ns2, type: AAAA, rdata: 2a03:4000:3b:53c:a4d4:5dff:fee7:d0e0}
- {name: nodes, type: NS, rdata: ns1}
- {name: nodes, type: NS, rdata: ns2}
# servers
- {name: srv02, type: A, rdata: 5.9.249.24}
- {name: srv02, type: AAAA, rdata: 2a01:4f8:262:48c2:1::3}
- {name: srv01, type: CNAME, rdata: srv02}
- {name: srv03, type: A, rdata: 10.130.0.11}
- {name: srv03, type: AAAA, rdata: 2001:67c:2d50::b}
- {name: srv04, type: A, rdata: 10.130.0.13}
- {name: srv04, type: AAAA, rdata: 2001:67c:2d50::d}
- {name: blackbox01, type: A, rdata: 10.130.0.14}
- {name: blackbox01, type: AAAA, rdata: 2001:67c:2d50::e}
- {name: blueberry, type: A, rdata: 10.130.0.101}
- {name: blueberry, type: AAAA, rdata: 2001:67c:2d50::101}
- {name: strawberry, type: A, rdata: 10.130.0.102}
- {name: strawberry, type: AAAA, rdata: 2001:67c:2d50::102}
- {name: srv03-tahoe, type: A, rdata: 10.130.0.103}
- {name: srv03-tahoe, type: AAAA, rdata: 2001:67c:2d50::103}
- {name: dyndns, type: A, rdata: 10.130.0.104}
- {name: dyndns, type: AAAA, rdata: 2001:67c:2d50::104}
- {name: mirror01, type: A, rdata: 10.130.0.105}
- {name: mirror01, type: AAAA, rdata: 2001:67c:2d50::105}
- {name: docker01, type: A, rdata: 10.130.0.106}
- {name: docker01, type: AAAA, rdata: 2001:67c:2d50::106}
- {name: holstentor, type: AAAA, rdata: 2001:67c:2d50::ccaa}
- {name: holstentor, type: A, rdata: 10.130.0.253}
- {name: muehlentor, type: AAAA, rdata: 2001:67c:2d50::ddaa}
- {name: muehlentor, type: A, rdata: 10.130.0.254}
- {name: kaisertor, type: AAAA, rdata: 2001:67c:2d50::aaaa}
- {name: kaisertor, type: A, rdata: 10.130.0.255}
- {name: huextertor, type: AAAA, rdata: 2001:67c:2d50::bbaa}
- {name: huextertor, type: A, rdata: 10.130.0.252}
- {name: 4.huextertor, type: A, rdata: 10.130.0.252}
- {name: 4.muehlentor, type: A, rdata: 10.130.0.254}
- {name: 4.holstentor, type: A, rdata: 10.130.0.253}
- {name: 4.kaisertor, type: A, rdata: 10.130.0.255}
- {name: 6.holstentor, type: AAAA, rdata: 2001:67c:2d50::ccaa}
- {name: 6.muehlentor, type: AAAA, rdata: 2001:67c:2d50::ddaa}
- {name: 6.kaisertor, type: AAAA, rdata: 2001:67c:2d50::aaaa}
- {name: 6.huextertor, type: AAAA, rdata: 2001:67c:2d50::bbaa}
# Test Gateway
- {name: wg01, type: A, rdata: 5.9.249.27}
- {name: wg01, type: AAAA, rdata: 2a01:4f8:172:1ba6:1::20}
# services
- {name: www, type: CNAME, rdata: srv02}
- {name: map, type: CNAME, rdata: srv02}
- {name: map2, type: CNAME, rdata: srv02}
- {name: firmware, type: CNAME, rdata: srv02}
- {name: mirror01.firmware, type: CNAME, rdata: mirror01}
- {name: git, type: CNAME, rdata: srv02}
- {name: wiki, type: CNAME, rdata: srv02}
- {name: monitor, type: CNAME, rdata: srv02}
- {name: status, type: CNAME, rdata: srv02}
- {name: peertube, type: CNAME, rdata: blueberry}
- {name: up, type: CNAME, rdata: blueberry}
- {name: yourservice, type: NS, rdata: srv02.luebeck.freifunk.net.}
- {name: backbone, type: CNAME, rdata: srv02}
- {name: monitoring.net, type: AAAA, rdata: 2001:67c:2d50::f}
- {name: 1.introducer.tahoe, type: CNAME, rdata: srv04}
- {name: 2.introducer.tahoe, type: CNAME, rdata: srv03-tahoe}
- {name: anycastdns, type: AAAA, rdata: 2001:67c:2d50:1::a82:7fe0}
- {name: node, type: A, rdata: 10.130.0.1}
- {name: node, type: AAAA, rdata: fdef:ffc0:3dd7::1}
- {name: opkg.services, type: CNAME, rdata: firmware}
ansible_ssh_host: srv02.luebeck.freifunk.net
......@@ -5,12 +5,15 @@ ansible_ssh_user=root
[gateways]
kaisertor
huextertor
holstentor
muehlentor
gw05
[dns-auth]
srv02
huextertor
[service_hosts]
srv02 ansible_ssh_host=srv02.luebeck.freifunk.net
srv02
[blackboxes]
blackbox ansible_ssh_host=blackbox.luebeck.freifunk.net
blackbox01 ansible_ssh_host=blackbox01.ffhl.de
---
- name: gateways
import_playbook: gateways.yml
- name: dns
import_playbook: dns.yml
- name: services
import_playbook: services.yml
- name: blackboxes
import_playbook: blackboxes.yml
---
- name: reload sysctl
sysctl:
reload: true
command: sysctl -p
- name: reload systemd
systemd:
......
zone "luebeck.freifunk.net" IN {
type master;
file "ffhl/luebeck.freifunk.net.zone";
};
zone "ffhl.de" IN {
zone "ffhl" IN {
type master;
file "ffhl/ffhl.de.zone";
file "ffhl/ffhl.db";
};
zone "ffdyn.net" IN {
zone "luebeck.freifunk.net" IN {
type master;
file "ffhl/ffdyn.net.zone";
file "ffhl/luebeck.freifunk.net.db";
};
zone "ffhl" IN {
zone "ffhl.de" IN {
type master;
file "ffhl/ffhl.zone";
file "ffhl/ffhl.de.db";
};
zone "nodes.ffhl.de" {
type master;
file "nodes.zone";
file "ffhl/nodes.ffhl.de.db";
allow-update {
127.0.0.1 ;
::1 ;
......
......@@ -2,14 +2,21 @@ options {
directory "/var/cache/bind";
dnssec-validation auto;
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
empty-zones-enable yes;
zone-statistics yes;
listen-on port 5300 { 127.0.0.1; };
listen-on-v6 port 5300 { ::1; };
// forwarders {
// 0.0.0.0;
// };
listen-on port 5300 { 127.0.0.1; };
listen-on-v6 port 5300 { ::1; };
allow-recursion {
10.130.0.0/16;
2001:67c:2d50::/48;
......@@ -17,3 +24,8 @@ options {
fe80::/64;
};
};
statistics-channels {
inet 127.0.0.1 port 8053 allow { 127.0.0.1; };
};
......@@ -4,17 +4,13 @@
systemd:
daemon_reload: yes
- name: mirror zones
systemd:
state: restarted
name: update-ffhl-dns.service
- name: freeze zones
command: rndc freeze
- name: restart bind
systemd:
state: restarted
name: bind9.service
- name: reload zones
systemd:
state: reload
name: bind9.service
- name: thaw zones
command: rndc thaw
---
# cleanup older roles
- name: remove incompatible packages
tags: [dns, bind]
apt:
state: absent
name:
- pdns-server
- pdns-backend-bind
- name: remove old dns update service
notify: reload systemd
file:
state: absent
path: /etc/systemd/system/{{ item }}
loop:
- update-ffhl-dns.service
- update-ffhl-dns.timer
# setup
- name: install packages
tags: [dns, bind]
apt:
state: present
name:
- bind9
- name: copy bind configs
copy:
src: bind/{{ item }}
dest: /etc/bind
loop:
- named.conf.local
- named.conf.options
- name: create zones directory
file:
state: directory
path: /var/cache/bind/ffhl
owner: bind
group: bind
# weird jinja2 filters so we can use with_glob
- name: generate zones
notify:
- freeze zones
- restart bind
- thaw zones
template:
src: "zones/{{ item | basename }}"
dest: /var/cache/bind/ffhl/{{ item | basename | regex_replace('^(.*)\.j2$', '\1') }}
with_fileglob:
- "../templates/zones/*"
$ORIGIN ffhl.
$TTL 10m
ffhl. IN SOA srv02.ffhl. info.luebeck.freifunk.net. (
{{ ansible_date_time.epoch }} ; serial number of this zone file
1h ; slave refresh
3m ; slave retry time in case of a problem
1h ; slave expiration time
1m ; negative cache
)
@ IN NS ns1.ffhl.
IN NS ns2.ffhl.
$INCLUDE ffhl/zones.common.db
$ORIGIN ffhl.de.
$TTL 300
ffhl.de. IN SOA ns1.luebeck.freifunk.net. maschinenraum.luebeck.freifunk.net. (
{{ ansible_date_time.epoch }} ; serial number of this zone file
1h ; slave refresh
15m ; slave retry time in case of a problem
30d ; slave expiration time
3m ; negative cache
)
@ NS ns1.ffhl.de.
NS ns2.ffhl.de.
$INCLUDE ffhl/zones.common.db
$ORIGIN luebeck.freifunk.net.
$TTL 300
luebeck.freifunk.net. IN SOA ns1.luebeck.freifunk.net. maschinenraum.luebeck.freifunk.net. (
{{ ansible_date_time.epoch }} ; serial number of this zone file
1h ; slave refresh
15m ; slave retry time in case of a problem
30d ; slave expiration time
3m ; negative cache
)
@ IN NS ns1.luebeck.freifunk.net.
IN NS ns2.luebeck.freifunk.net.
IN MX 20 mail.chaotikum.net.
$INCLUDE ffhl/zones.common.db
$ORIGIN nodes.ffhl.de.
$TTL 300
nodes.ffhl.de. IN SOA ns1.luebeck.freifunk.net. info.luebeck.freifunk.net. (
2016062805 ; serial
3600 ; refresh (5 min)
60 ; retry
604800 ; expire (43 minutes 20 seconds)
180 ; minimum (30 seconds)
)
@ NS ns1.ffhl.de.
NS ns2.ffhl.de.
test AAAA 2001:67c:2d50::aaaa
{% for record in records %}
{{ record.name }} IN {{ record.type }} {{ record.rdata }}
{% endfor %}
......@@ -23,14 +23,16 @@ recursive_ips:addMask('::1/128')
our_domains = newSuffixMatchNode()
our_domains:add(newDNSName("luebeck.freifunk.net"))
our_domains:add(newDNSName("ffhl.de"))
our_domains:add(newDNSName("ffhl"))
addAction("ffdyn.net.", PoolAction('ffdyndns'))
-- always recurse for clients inside ffhl-network
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
-- forward to dyndns nameserver
addAction("ffdyn.net.", PoolAction('ffdyndns'))
-- if request is for one of our domains answer with auth
addAction(SuffixMatchNodeRule(our_domains), PoolAction('auth'))
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))
-- default action is to do nothing
addAction(AllRule(), NoneAction())
addAction(AllRule(), NoneAction())
-- disable security status
setSecurityPollSuffix("")
......@@ -2,7 +2,7 @@
config-dir=/etc/powerdns
include-dir=/etc/powerdns/recursor.d
lua-config-file=/etc/powerdns/recursor.lua
quiet=yes
quiet=no
loglevel=5
security-poll-suffix=
hint-file=/usr/share/dns/root.hints
......@@ -12,4 +12,3 @@ webserver-allow-from=10.130.0.10/32
local-port=5301
local-address=127.0.0.1 ::1
allow-from=127.0.0.1/32, ::1/128
forward-zones-file=/etc/powerdns/forward-zones.conf
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment