gateways now function as authoritive dns servers

commit 1da376e2 Author: Paul Maruhn <paulmaruhn@posteo.de> Date: Fri Jan 1 05:33:21 2021 +0100 add pdns-server to gateways commit ce6f3075 Author: Paul Maruhn <paulmaruhn@posteo.de> Date: Fri Jan 1 05:32:11 2021 +0100 introduce new variable

gateways now function as authoritive dns servers
d2732b8b · Paul · eb584f4c · d2732b8b · d2732b8b · d2732b8b
Unverified Commit d2732b8b authored 4 years ago by Paul
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -5,3 +5,6 @@ dhcpd_subnet: 10.130.0.0
 dhcpd_netmask: 255.255.0.0
 ipv4_subnet: 10.130.0.0/16
 ipv6_subnet: 2001:67c:2d50::/48
+
+# Some other configs:
+dns_repo_url: "https://git.luebeck.freifunk.net/FreifunkLuebeck/ffhl-dns.git"
--- a/roles/base/files/etc/systemd/system/update-ffhl-dns.service
+++ b/roles/base/files/etc/systemd/system/update-ffhl-dns.service
 [Service]
 Type=oneshot
-WorkingDirectory=/var/cache/bind/ffhl
+WorkingDirectory=/var/local/ffhl-dns
 ExecStart=/usr/bin/git pull
--- a/roles/base/files/powerdns/bind.conf
+++ b/roles/base/files/powerdns/bind.conf
+# Debian default: supermaster created zones are written here:
+options {
+    directory "/var/local/ffhl-dns";
+    allow-transfer { none; };
+};
+
+zone "luebeck.freifunk.net" IN {
+    type master;
+    file "luebeck.freifunk.net.zone";
+};
+
+zone "ffhl.de" IN {
+    type master;
+    file "ffhl.de.zone";
+};
+
+zone "ffhl" IN {
+    type master;
+    file "ffhl.zone";
+};
--- a/roles/base/files/powerdns/forward-zones.conf
+++ b/roles/base/files/powerdns/forward-zones.conf
+ffhl.=[::1]:5300
+ffhl.de.=[::1]:5300
+luebeck.freifunk.net.=[::1]:5300
+.=1.1.1.1
--- a/roles/base/files/powerdns/pdns.conf
+++ b/roles/base/files/powerdns/pdns.conf
+config-dir=/etc/powerdns
+include-dir=/etc/powerdns/pdns.d
+loglevel=4
+security-poll-suffix=
+setgid=pdns
+setuid=pdns
+webserver=yes
+launch=bind
+
+
+webserver-address=127.0.0.1
+webserver-port=8081
+webserver-allow-from=0.0.0.0/0,::/0
+
+local-address=127.0.0.1
+local-address-nonexist-fail=yes
+local-ipv6=::1
+local-ipv6-nonexist-fail=yes
+local-port=5300
+log-dns-queries=no
+
+
+# Bind backend configuration
+bind-check-interval=300
+bind-config=/etc/powerdns/bind.conf
--- a/roles/base/files/powerdns/recursor.conf
+++ b/roles/base/files/powerdns/recursor.conf
 # Take a look at https://doc.powerdns.com/recursor/settings.html
-
-#################################
-# allow-from	If set, only allow these comma separated netmasks to recurse
-#
-allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 2001:67c:2d50::/48
-
-#################################
-# config-dir	Location of configuration directory (recursor.conf)
-#
 config-dir=/etc/powerdns
-
-#################################
-# forward-zones-recurse	Zones for which we forward queries with recursion bit, comma separated domain=ip pairs
-#
-forward-zones-recurse=ffhl.=10.130.0.10, .=1.1.1.1
-
-#################################
-# hint-file	If set, load root hints from this file
-#
-# hint-file=
-hint-file=/usr/share/dns/root.hints
-
-#################################
-# include-dir	Include *.conf files from this directory
-#
-# include-dir=
 include-dir=/etc/powerdns/recursor.d
-
-#################################
-# local-address	IP addresses to listen on, separated by spaces or commas. Also accepts ports.
-#
-local-address=0.0.0.0 ::
-
-#################################
-# lua-config-file	More powerful configuration options
-#
 lua-config-file=/etc/powerdns/recursor.lua
-
-
-#################################
-# quiet	Suppress logging of questions and answers
-#
-quiet=yes
-
-#################################
-# security-poll-suffix	Domain name from which to query security update notifications
-#
-# security-poll-suffix=secpoll.powerdns.com.
+quiet=no
+loglevel=5
 security-poll-suffix=
-
-#################################
-# webserver	Start a webserver (for REST API)
-#
+hint-file=/usr/share/dns/root.hints
 webserver=yes
-
-#################################
-# webserver-address	IP Address of webserver to listen on
-#
 webserver-address=0.0.0.0
-
-#################################
-# webserver-allow-from	Webserver access is only allowed from these subnets
-#
 webserver-allow-from=10.130.0.10/32
+
+local-address=0.0.0.0 ::
+# allow-from=127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 2001:67c:2d50::/48
+allow-from=0.0.0.0/0, ::/0
+forward-zones-file=/etc/powerdns/forward-zones.conf
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
 ---

 - name: copy base configs
-  tags: [base, etc, apt]
+  tags: [base, etc, apt, powerdns]
  copy: src=etc/ dest=/etc

 - name: install packages
  include: software.yml
-  tags: [base, apt]
+  tags: [base, apt, software]

 # configurations and stuff
 - name: set local timezone

--- a/roles/base/tasks/powerdns.yml
+++ b/roles/base/tasks/powerdns.yml
 ---
- name: copy base configs
+
+
+- name: copy powerdns configs
  copy:
    src: powerdns
    dest: /etc/

+- name: clone dns-repo
+  git:
+    repo: "{{ dns_repo_url }}"
+    dest: /var/local/ffhl-dns
+    accept_hostkey: yes
+
+- name: remove default bind-backend config
+  file:
+    path: /etc/powerdns/pdns.d/bind.conf
+    state: absent
+
 - name: restart powerdns
  systemd:
+    daemon_reload: yes
+    enabled: yes
    state: restarted
-    name: pdns-recursor.service
+    name: "{{ item }}"
+  with_items:
+    - pdns-recursor.service
+    - pdns.service
+    - update-ffhl-dns.timer
--- a/roles/base/tasks/software.yml
+++ b/roles/base/tasks/software.yml
@@ -27,6 +27,8 @@
      - isc-dhcp-server
      - openssh-server
      - pdns-recursor
+      - pdns-server
+      - pdns-backend-bind
      - prometheus-node-exporter
      - python-apt
      - radvd