diff options
| author | Emil Renner Berthing <esmil@labitat.dk> | 2017-11-19 01:19:10 +0100 | 
|---|---|---|
| committer | Emil Renner Berthing <esmil@labitat.dk> | 2017-11-19 12:46:29 +0100 | 
| commit | 3b795796bd03488a385f3ad42b10b8c0d61282c1 (patch) | |
| tree | 19381884de2c8320b20d3205f22b71c42c63dd1c /roles | |
| parent | 505f69ee1540581eef2465dc420525213d278473 (diff) | |
| download | labitat-ansible-3b795796bd03488a385f3ad42b10b8c0d61282c1.tar.gz labitat-ansible-3b795796bd03488a385f3ad42b10b8c0d61282c1.tar.xz labitat-ansible-3b795796bd03488a385f3ad42b10b8c0d61282c1.zip | |
space_server: unbound: use unbound instad of bind
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/space_server/files/named/named.conf | 81 | ||||
| -rw-r--r-- | roles/space_server/files/named/s.zone | 21 | ||||
| -rw-r--r-- | roles/space_server/files/unbound/unbound.conf | 142 | ||||
| -rw-r--r-- | roles/space_server/handlers/main.yml | 4 | ||||
| -rw-r--r-- | roles/space_server/tasks/main.yml | 4 | ||||
| -rw-r--r-- | roles/space_server/tasks/named.yml | 52 | ||||
| -rw-r--r-- | roles/space_server/tasks/unbound.yml | 36 | 
7 files changed, 182 insertions, 158 deletions
| diff --git a/roles/space_server/files/named/named.conf b/roles/space_server/files/named/named.conf deleted file mode 100644 index d9b60d3..0000000 --- a/roles/space_server/files/named/named.conf +++ /dev/null @@ -1,81 +0,0 @@ -// -// named.conf -// -// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS -// server as a caching only nameserver (as a localhost DNS resolver only). -// -// See /usr/share/doc/bind*/sample/ for example named configuration files. -// - -options { -	listen-on port 53 { -		127.0.0.1; -		185.38.175.0; -	}; -	listen-on-v6 port 53 { -		::1; -		2a01:4260:1ab::; -	}; -	#dns64 fde2:52b4:4a19:ffff::/96 { -	#	clients { fde2:52b4:4a19:5::/64; }; -	#}; -	directory 	"/var/named"; -	dump-file 	"/var/named/data/cache_dump.db"; -	statistics-file "/var/named/data/named_stats.txt"; -	memstatistics-file "/var/named/data/named_mem_stats.txt"; -	//allow-query     { localhost; }; - -	/*  -	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. -	 - If you are building a RECURSIVE (caching) DNS server, you need to enable  -	   recursion.  -	 - If your recursive DNS server has a public IP address, you MUST enable access  -	   control to limit queries to your legitimate users. Failing to do so will -	   cause your server to become part of large scale DNS amplification  -	   attacks. Implementing BCP38 within your network would greatly -	   reduce such attack surface  -	*/ -	recursion yes; - -	dnssec-enable yes; -	dnssec-validation yes; - -	managed-keys-directory "/var/named/dynamic"; - -	pid-file "/run/named/named.pid"; -	session-keyfile "/run/named/session.key"; - -	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ -	include "/etc/crypto-policies/back-ends/bind.config"; -}; - -logging { -	channel default_debug { -		file "data/named.run"; -		severity dynamic; -	}; -	channel syslog { -		syslog; -		severity warning; -		print-severity yes; -		print-category yes; -	}; -	category default{ -		syslog; -	}; -}; - -zone "." IN { -	type hint; -	file "named.ca"; -}; - -zone "s" IN { -	type master; -	file "/etc/named/s.zone"; -	allow-transfer { none; }; -}; - -include "/etc/named.rfc1912.zones"; -include "/etc/named.root.key"; - diff --git a/roles/space_server/files/named/s.zone b/roles/space_server/files/named/s.zone deleted file mode 100644 index 97bd2f7..0000000 --- a/roles/space_server/files/named/s.zone +++ /dev/null @@ -1,21 +0,0 @@ -s.                 600    IN      SOA     space.labitat.dk. xnybre.labitat.dk. 2015112001 7200 3600 604800 86400 -s.                 600    IN      NS      space.labitat.dk. - -s.                 600    IN      A       10.42.1.1 -s.                 600    IN      AAAA    2a01:4260:1ab:: - -labitrack.s.       600    IN      CNAME   spacewand.labitat.dk. -track.s.           600    IN      CNAME   spacewand.labitat.dk. - -doorputer.s.       600    IN      A       10.42.0.3 -foodputer.s.       600    IN      A       10.42.0.4 - -lathe.s.           600    IN      A       10.42.0.12 - -anna.s.            600    IN      A       10.42.1.9 -infotron.s.        600    IN      A       10.42.1.34 -spacemon.s.        600    IN      A       10.42.1.35 -jumbotron.s.       600    IN      A       10.42.1.36 -sound.s.           600    IN      A       10.42.1.80 - -printbrother.s.    600    IN      A       10.42.1.32 diff --git a/roles/space_server/files/unbound/unbound.conf b/roles/space_server/files/unbound/unbound.conf new file mode 100644 index 0000000..1679aea --- /dev/null +++ b/roles/space_server/files/unbound/unbound.conf @@ -0,0 +1,142 @@ +server: +	pidfile: "/run/unbound/unbound.pid" +	verbosity: 1 +	statistics-interval: 0 +	statistics-cumulative: no +	extended-statistics: yes +	num-threads: 1 + +	define-tag: "local" + +	interface: 127.0.0.1 +	interface: ::1 +	interface: 185.38.175.0 +	interface: 2a01:4260:1ab:: + +	outgoing-interface: 185.38.175.0 +	outgoing-interface: 2a01:4260:1ab:: +	outgoing-port-permit: 32768-60999 +	outgoing-port-avoid: 0-32767 + +	so-reuseport: yes +	ip-transparent: yes +	max-udp-size: 3072 + +	access-control-tag: 127.0.0.1/32 "local" +	access-control-tag: ::1/128 "local" + +	access-control: 185.38.175.0/24 allow +	access-control: 10.42.0.0/16 allow +	access-control-tag: 10.42.0.0/24 "local" +	access-control-tag: 10.42.1.0/24 "local" +	access-control-tag: 10.42.2.0/24 "local" +	# not free wifi     10.42.3.0/24 +	access-control-tag: 10.42.4.0/24 "local" +	access-control-tag: 10.42.5.0/24 "local" +	access-control: 2a01:4260:1ab::/48 allow +	access-control-tag: 2a01:4260:1ab:a::/64 "local" +	access-control-tag: 2a01:4260:1ab:b::/64 "local" +	access-control-tag: 2a01:4260:1ab:c::/64 "local" +	# not free wifi     2a01:4260:1ab:d::/64 +	access-control-tag: 2a01:4260:1ab:e::/64 "local" +	access-control-tag: 2a01:4260:1ab:f::/64 "local" + +	chroot: "" +	username: "unbound" +	directory: "/etc/unbound" + +	use-syslog: yes +	log-time-ascii: yes + +	harden-glue: yes +	harden-dnssec-stripped: yes +	harden-below-nxdomain: yes +	harden-referral-path: yes +	qname-minimisation: yes + +	prefetch: yes +	prefetch-key: yes +	rrset-roundrobin: yes +	minimal-responses: yes + +	module-config: "validator iterator" + +	trust-anchor-signaling: yes + +	trusted-keys-file: /etc/unbound/keys.d/*.key +	auto-trust-anchor-file: "/var/lib/unbound/root.key" + +	val-clean-additional: yes +	val-permissive-mode: no +	serve-expired: yes +	val-log-level: 1 + +	local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static +	local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" +	local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + +	local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static +	local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" +	local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + +	local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static +	local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" +	local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + +	local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static +	local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" +	local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + +	local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static +	local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" +	local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + +	local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static +	local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" +	local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + +	local-zone: s. static +	local-zone-tag: s. "local" +	local-data: "s.              IN SOA   space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" +	local-data: "s.              IN NS    space.labitat.dk." +	local-data: "s.              IN A     10.42.1.1" +	local-data: "s.              IN AAAA  2a01:4260:1ab::" +	local-data: "labitrack.s.    IN A     185.38.175.70" +	local-data: "labitrack.s.    IN AAAA  2a01:4260:1ab::cafe" +	local-data: "track.s.        IN A     185.38.175.70" +	local-data: "track.s.        IN AAAA  2a01:4260:1ab::cafe" +	local-data: "ap.s.           IN A     10.42.0.2" +	local-data-ptr:                      "10.42.0.2 ap.s." +	local-data: "doorputer.s.    IN A     10.42.0.3" +	local-data-ptr:                      "10.42.0.3 doorputer.s." +	local-data: "foodputer.s.    IN A     10.42.0.4" +	local-data-ptr:                      "10.42.0.4 foodputer.s." +	local-data: "ap1.s.          IN A     10.42.0.5" +	local-data-ptr:                      "10.42.0.5 ap1.s." +	local-data: "ap2.s.          IN A     10.42.0.6" +	local-data-ptr:                      "10.42.0.6 ap2.s." +	local-data: "switch.s.       IN A     10.42.0.9" +	local-data-ptr:                      "10.42.0.9 switch.s." +	local-data: "lathe.s.        IN A     10.42.0.12" +	local-data-ptr:                      "10.42.0.12 lathe.s." +	local-data: "anna.s.         IN A     10.42.1.9" +	local-data-ptr:                      "10.42.1.9 anna.s." +	local-data: "printbrother.s. IN A     10.42.1.32" +	local-data-ptr:                      "10.42.1.32 printbrother.s." +	local-data: "infotron.s.     IN A     10.42.1.34" +	local-data-ptr:                      "10.42.1.34 infotron.s." +	local-data: "spacemon.s.     IN A     10.42.1.35" +	local-data-ptr:                      "10.42.1.35 spacemon.s." +	local-data: "jumbotron.s.    IN A     10.42.1.36" +	local-data-ptr:                      "10.42.1.36 jumbotron.s." +	local-data: "hplaserjet.s.   IN A     10.42.1.37" +	local-data-ptr:                      "10.42.1.37 hplaserjet.s." +	local-data: "labisound.s.    IN A     10.42.1.40" +	local-data-ptr:                      "10.42.1.40 labisound.s." +	local-data: "sound.s.        IN A     10.42.1.80" +	local-data-ptr:                      "10.42.1.80 sound.s." + +remote-control: +	control-enable: yes +	control-use-cert: no +	control-interface: "/run/unbound/control" diff --git a/roles/space_server/handlers/main.yml b/roles/space_server/handlers/main.yml index 70e0b85..e8943d3 100644 --- a/roles/space_server/handlers/main.yml +++ b/roles/space_server/handlers/main.yml @@ -57,9 +57,9 @@      daemon_reload: yes    when: "'container' not in ansible_env" -- name: restart named +- name: restart unbound    systemd: -    name: named.service +    name: unbound.service      state: restarted    when: "'container' not in ansible_env" diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index 6893cbb..bd65b52 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -35,8 +35,8 @@  - import_tasks: radius.yml    tags: radius    when: radius_passwords is defined -- import_tasks: named.yml -  tags: named +- import_tasks: unbound.yml +  tags: unbound  - import_tasks: avahi.yml    tags: avahi diff --git a/roles/space_server/tasks/named.yml b/roles/space_server/tasks/named.yml deleted file mode 100644 index d295058..0000000 --- a/roles/space_server/tasks/named.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: Install bind package -  dnf: -    name: bind -    state: latest -  notify: -    - restart named -  tags: -    - packages - -- name: Configure named -  copy: -    src: named/named.conf -    dest: '/etc/named.conf' -    mode: 0640 -  notify: -    - restart named -- name: Create s zone -  copy: -    src: named/s.zone -    dest: '/etc/named/s.zone' -  notify: -    - restart named - -- name: Create service drop-in directory -  file: -    dest: '/etc/systemd/system/named.service.d' -    state: directory -- name: Start named after networks are configured -  copy: -    src: wait-online.conf -    dest: '/etc/systemd/system/named.service.d/wait-online.conf' - -- name: Enable named service -  systemd: -    name: named.service -    enabled: yes -    masked: no -    state: started -  when: "'container' not in ansible_env" -- name: '- when in nspawn' -  command: systemctl enable named.service -  args: -    creates: '/etc/systemd/system/multi-user.target.wants/named.service' -  when: "'container' in ansible_env" - -- name: Use our own resolver -  copy: -    dest: /etc/resolv.conf -    content: "nameserver 127.0.0.1\nnameserver ::1\n" - -# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml new file mode 100644 index 0000000..42db916 --- /dev/null +++ b/roles/space_server/tasks/unbound.yml @@ -0,0 +1,36 @@ +--- +- name: Install unbound package +  dnf: +    name: unbound +    state: latest +  notify: +    - restart unbound +  tags: +    - packages + +- name: Configure unbound +  copy: +    src: unbound/unbound.conf +    dest: '/etc/unbound/unbound.conf' +  notify: +    - restart unbound + +- name: Enable unbound service +  systemd: +    name: unbound.service +    enabled: yes +    masked: no +    state: started +  when: "'container' not in ansible_env" +- name: '- when in nspawn' +  command: systemctl enable unbound.service +  args: +    creates: '/etc/systemd/system/multi-user.target.wants/unbound.service' +  when: "'container' in ansible_env" + +- name: Use our own resolver +  copy: +    dest: /etc/resolv.conf +    content: "nameserver 127.0.0.1\nnameserver ::1\n" + +# vim: set ts=2 sw=2 et ft=yaml: | 
