space_server: generate DNS, mDNS and dhcp entries

..from the same variables

3 files changed, 343 insertions, 0 deletions

diff --git a/roles/space_server/templates/avahi/hosts.j2 b/roles/space_server/templates/avahi/hosts.j2
new file mode 100644
index 0000000..f87ad4b
--- /dev/null
+++ b/roles/space_server/templates/avahi/hosts.j2
@@ -0,0 +1,14 @@
+{% for host in local_hosts %}
+{%   if 'mdns' not in host or host.mdns %}
+{%     for ip in host.ips | ipv4 %}
+{%       if loop.index <= 1 %}
+{{ ip }} {{ host.name }}.local
+{%       endif %}
+{%     endfor %}
+{%     for ip in host.ips | ipv6 %}
+{%       if loop.index <= 1 %}
+{{ ip }} {{ host.name }}.local
+{%       endif %}
+{%     endfor %}
+{%   endif %}
+{% endfor %}
diff --git a/roles/space_server/templates/dhcpd/dhcpd.conf.j2 b/roles/space_server/templates/dhcpd/dhcpd.conf.j2
new file mode 100644
index 0000000..1b832e1
--- /dev/null
+++ b/roles/space_server/templates/dhcpd/dhcpd.conf.j2
@@ -0,0 +1,203 @@
+#
+# DHCP Server Configuration file.
+#   see /usr/share/doc/dhcp/dhcpd.conf.example
+#   see dhcpd.conf(5) man page
+#
+
+# The ddns-updates-style parameter controls whether or not the server will
+# attempt to do a DNS update when a lease is confirmed. We default to the
+# behavior of the version 2 packages ('none', since DHCP v2 didn't
+# have support for DDNS.)
+ddns-update-style none;
+
+# option definitions common to all supported networks...
+#option domain-name "labitat.dk";
+default-lease-time 3600;
+max-lease-time 7200;
+min-lease-time 600;
+
+# If this DHCP server is the official DHCP server for the local
+# network, the authoritative directive should be uncommented.
+authoritative;
+
+# Use this to send dhcp log messages to a different log file (you also
+# have to hack syslog.conf to complete the redirection).
+log-facility daemon;
+
+
+# Admin net
+subnet 10.42.0.0 netmask 255.255.255.0 {
+	range 10.42.0.50 10.42.0.69;
+	range 10.42.0.71 10.42.0.250;
+	option routers 10.42.0.1;
+	option domain-name-servers 185.38.175.0;
+	#option ntp-servers 90.185.0.18;
+{% for host in local_hosts %}
+{%   if host.ips | ipaddr('10.42.0.0/24') %}
+{%     if 'mac' in host %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	host {{ host.name }} {
+		hardware ethernet {{ host.mac }};
+		fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }};
+{%       if 'filename' in host %}
+		filename "{{ host.filename }}";
+{%       endif %}
+	}
+{%     else %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	#host {{ host.name }} {
+	#	fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }};
+	#}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+
+	host spacewand {
+		hardware ethernet 00:1f:7b:b4:0e:00;
+		fixed-address 10.42.0.70;
+	}
+}
+
+
+# Wired net
+subnet 10.42.1.0 netmask 255.255.255.0 {
+	range dynamic-bootp 10.42.1.50 10.42.1.250;
+	option routers 10.42.1.1;
+	option domain-name-servers 185.38.175.0;
+	#option ntp-servers 90.185.0.18;
+	next-server 10.42.1.1;
+	filename "pxelinux.0";
+{% for host in local_hosts %}
+{%   if host.ips | ipaddr('10.42.1.0/24') %}
+{%     if 'mac' in host %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	host {{ host.name }} {
+		hardware ethernet {{ host.mac }};
+		fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }};
+{%       if 'filename' in host %}
+		filename "{{ host.filename }}";
+{%       endif %}
+	}
+{%     else %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	#host {{ host.name }} {
+	#	fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }};
+	#}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+}
+
+
+# Private wifi
+subnet 10.42.2.0 netmask 255.255.255.0 {
+	range 10.42.2.50 10.42.2.250;
+	option routers 10.42.2.1;
+	option domain-name-servers 185.38.175.0;
+	#option ntp-servers 90.185.0.18;
+	next-server 10.42.2.1;
+	filename "pxelinux.0";
+{% for host in local_hosts %}
+{%   if host.ips | ipaddr('10.42.2.0/24') %}
+{%     if 'mac' in host %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	host {{ host.name }} {
+		hardware ethernet {{ host.mac }};
+		fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }};
+{%       if 'filename' in host %}
+		filename "{{ host.filename }}";
+{%       endif %}
+	}
+{%     else %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	#host {{ host.name }} {
+	#	fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }};
+	#}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+}
+
+# Free wifi
+subnet 10.42.3.0 netmask 255.255.255.0 {
+	range 10.42.3.50 10.42.3.250;
+	option routers 10.42.3.1;
+	option domain-name-servers 185.38.175.0;
+	#option ntp-servers 90.185.0.18;
+{% for host in local_hosts %}
+{%   if host.ips | ipaddr('10.42.3.0/24') %}
+{%     if 'mac' in host %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	host {{ host.name }} {
+		hardware ethernet {{ host.mac }};
+		fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }};
+{%       if 'filename' in host %}
+		filename "{{ host.filename }}";
+{%       endif %}
+	}
+{%     else %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	#host {{ host.name }} {
+	#	fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }};
+	#}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+}
+
+# Password protected wifi
+subnet 10.42.4.0 netmask 255.255.255.0 {
+	range 10.42.4.50 10.42.4.250;
+	option routers 10.42.4.1;
+	option domain-name-servers 185.38.175.0;
+	#option ntp-servers 90.185.0.18;
+{% for host in local_hosts %}
+{%   if host.ips | ipaddr('10.42.4.0/24') %}
+{%     if 'mac' in host %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	host {{ host.name }} {
+		hardware ethernet {{ host.mac }};
+		fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }};
+{%       if 'filename' in host %}
+		filename "{{ host.filename }}";
+{%       endif %}
+	}
+{%     else %}
+
+{%       if 'description' in host %}
+	# {{ host.description }}
+{%       endif %}
+	#host {{ host.name }} {
+	#	fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }};
+	#}
+{%     endif %}
+{%   endif %}
+{% endfor %}
+}
diff --git a/roles/space_server/templates/unbound/unbound.conf.j2 b/roles/space_server/templates/unbound/unbound.conf.j2
new file mode 100644
index 0000000..d2d3aed
--- /dev/null
+++ b/roles/space_server/templates/unbound/unbound.conf.j2
@@ -0,0 +1,126 @@
+server:
+	pidfile: "/run/unbound/unbound.pid"
+	verbosity: 1
+	statistics-interval: 0
+	statistics-cumulative: no
+	extended-statistics: yes
+	num-threads: 1
+
+	define-tag: "local"
+
+	interface: 127.0.0.1
+	interface: ::1
+	interface: 185.38.175.0
+	interface: 2a01:4260:1ab::
+
+	outgoing-interface: 185.38.175.0
+	outgoing-interface: 2a01:4260:1ab::
+	outgoing-port-permit: 32768-60999
+	outgoing-port-avoid: 0-32767
+
+	so-reuseport: yes
+	ip-transparent: yes
+	max-udp-size: 3072
+
+	access-control-tag: 127.0.0.1/32 "local"
+	access-control-tag: ::1/128 "local"
+
+	access-control: 185.38.175.0/24 allow
+	access-control: 10.42.0.0/16 allow
+	access-control-tag: 10.42.0.0/24 "local"
+	access-control-tag: 10.42.1.0/24 "local"
+	access-control-tag: 10.42.2.0/24 "local"
+	# not free wifi     10.42.3.0/24
+	access-control-tag: 10.42.4.0/24 "local"
+	access-control-tag: 10.42.5.0/24 "local"
+	access-control: 2a01:4260:1ab::/48 allow
+	access-control-tag: 2a01:4260:1ab:a::/64 "local"
+	access-control-tag: 2a01:4260:1ab:b::/64 "local"
+	access-control-tag: 2a01:4260:1ab:c::/64 "local"
+	# not free wifi     2a01:4260:1ab:d::/64
+	access-control-tag: 2a01:4260:1ab:e::/64 "local"
+	access-control-tag: 2a01:4260:1ab:f::/64 "local"
+
+	chroot: ""
+	username: "unbound"
+	directory: "/etc/unbound"
+
+	use-syslog: yes
+	log-time-ascii: yes
+
+	harden-glue: yes
+	harden-dnssec-stripped: yes
+	harden-below-nxdomain: yes
+	harden-referral-path: yes
+	qname-minimisation: yes
+
+	prefetch: yes
+	prefetch-key: yes
+	rrset-roundrobin: yes
+	minimal-responses: yes
+
+	module-config: "validator iterator"
+
+	trust-anchor-signaling: yes
+
+	trusted-keys-file: /etc/unbound/keys.d/*.key
+	auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	val-clean-additional: yes
+	val-permissive-mode: no
+	serve-expired: yes
+	val-log-level: 1
+
+	local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+	local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+	local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+	local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+	local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+	local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+	local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+	local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+	local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+	local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+	local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+	local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+	local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+	local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+	local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+	local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static
+	local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800"
+	local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk."
+
+	local-zone: s. static
+	local-zone-tag: s. "local"
+	local-data: "s.              IN SOA   space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800"
+	local-data: "s.              IN NS    space.labitat.dk."
+	local-data: "s.              IN A     10.42.1.1"
+	local-data: "s.              IN AAAA  2a01:4260:1ab::"
+	local-data: "labitrack.s.    IN A     185.38.175.70"
+	local-data: "labitrack.s.    IN AAAA  2a01:4260:1ab::cafe"
+	local-data: "track.s.        IN A     185.38.175.70"
+	local-data: "track.s.        IN AAAA  2a01:4260:1ab::cafe"
+{% for host in local_hosts %}
+{%   for ip in host.ips | ipv4 %}
+{%     if loop.index <= 1 %}
+	local-data: "{{ host.name }}.s. IN A {{ ip }}"
+	local-data-ptr: "{{ ip }} {{ host.name }}.s."
+{%     endif %}
+{%   endfor %}
+{%   for ip in host.ips | ipv6 %}
+{%     if loop.index <= 1 %}
+	local-data: "{{ host.name }}.s. IN AAAA {{ ip }}"
+	local-data-ptr: "{{ ip }} {{ host.name }}.s."
+{%     endif %}
+{%   endfor %}
+{% endfor %}
+
+remote-control:
+	control-enable: yes
+	control-use-cert: no
+	control-interface: "/run/unbound/control"