From 3387c2fdcbe74be6767c5abce5beb9e7df2d3f5b Mon Sep 17 00:00:00 2001 From: Emil Renner Berthing Date: Sun, 19 Nov 2017 03:15:26 +0100 Subject: space_server: generate DNS, mDNS and dhcp entries ..from the same variables --- roles/space_server/bootstrap.sh | 2 +- roles/space_server/defaults/main.yml | 71 +++++++ roles/space_server/files/dhcpd/dhcpd.conf | 160 ---------------- roles/space_server/files/unbound/unbound.conf | 142 -------------- roles/space_server/tasks/avahi.yml | 7 + roles/space_server/tasks/dhcpd.yml | 4 +- roles/space_server/tasks/unbound.yml | 4 +- roles/space_server/templates/avahi/hosts.j2 | 14 ++ roles/space_server/templates/dhcpd/dhcpd.conf.j2 | 203 +++++++++++++++++++++ .../space_server/templates/unbound/unbound.conf.j2 | 126 +++++++++++++ 10 files changed, 426 insertions(+), 307 deletions(-) delete mode 100644 roles/space_server/files/dhcpd/dhcpd.conf delete mode 100644 roles/space_server/files/unbound/unbound.conf create mode 100644 roles/space_server/templates/avahi/hosts.j2 create mode 100644 roles/space_server/templates/dhcpd/dhcpd.conf.j2 create mode 100644 roles/space_server/templates/unbound/unbound.conf.j2 (limited to 'roles/space_server') diff --git a/roles/space_server/bootstrap.sh b/roles/space_server/bootstrap.sh index c358db5..8fbc399 100755 --- a/roles/space_server/bootstrap.sh +++ b/roles/space_server/bootstrap.sh @@ -55,7 +55,7 @@ dnf \ --disablerepo='*' \ --enablerepo=fedora \ --enablerepo=updates \ - install dnf python2-dnf ansible + install dnf python2-dnf python-netaddr ansible systemd-nspawn -D "$dest" -M space -E ANSIBLE_FORCE_COLOR=1 \ --bind /boot --bind /home -- \ diff --git a/roles/space_server/defaults/main.yml b/roles/space_server/defaults/main.yml index eb582df..6d6f12d 100644 --- a/roles/space_server/defaults/main.yml +++ b/roles/space_server/defaults/main.yml @@ -14,6 +14,7 @@ packages: - python2-dnf - 'dnf-command(leaves)' - ansible + - python-netaddr - vim-enhanced - git - diffutils @@ -28,5 +29,75 @@ boot: root: device: 'LABEL=BTRFS' options: 'noatime,ssd,compress=lzo' +local_hosts: + - name: ap + mac: 00:0f:23:94:43:0b + mdns: false + ips: + - 10.42.0.2 + - name: doorputer + mac: 00:b3:f6:00:36:be + mdns: false + ips: + - 10.42.0.3 + - name: foodputer + mac: 00:d0:59:37:5e:37 + mdns: false + ips: + - 10.42.0.4 + - name: ap1 + mdns: false + ips: + - 10.42.0.5 + - name: ap2 + mdns: false + ips: + - 10.42.0.6 + - 10.42.0.7 + - name: switch + mac: 00:1b:11:6f:42:f8 + mdns: false + ips: + - 10.42.0.9 + - name: lathe + mdns: false + ips: + - 10.42.0.12 + - name: anna + mac: 00:e0:c5:6e:d6:8d + ips: + - 10.42.1.9 + - name: printbrother + mac: 00:80:77:06:9f:26 + ips: + - 10.42.1.32 + - name: infotron + description: Infoscreen Raspberry Pi + mac: b8:27:eb:2c:5d:3a + ips: + - 10.42.1.34 + - name: spacemon + mac: b8:27:eb:24:f8:50 + ips: + - 10.42.1.35 + - name: jumbotron + description: Jumbotron Raspberry Pi + mac: b8:27:eb:d3:c1:62 + mdns: false + ips: + - 10.42.1.36 + - name: hplaserjet + mac: 94:57:a5:ce:e2:6c + mdns: false + ips: + - 10.42.1.37 + - 2a01:4260:1ab:b:9657:a5ff:fece:e26c + - name: labisound + mac: 00:16:e6:f7:43:b0 + ips: + - 10.42.1.40 + - name: sound + ips: + - 10.42.1.80 # vim: set ts=2 sw=2 et: diff --git a/roles/space_server/files/dhcpd/dhcpd.conf b/roles/space_server/files/dhcpd/dhcpd.conf deleted file mode 100644 index f55aeae..0000000 --- a/roles/space_server/files/dhcpd/dhcpd.conf +++ /dev/null @@ -1,160 +0,0 @@ -# -# DHCP Server Configuration file. -# see /usr/share/doc/dhcp/dhcpd.conf.example -# see dhcpd.conf(5) man page -# - -# The ddns-updates-style parameter controls whether or not the server will -# attempt to do a DNS update when a lease is confirmed. We default to the -# behavior of the version 2 packages ('none', since DHCP v2 didn't -# have support for DDNS.) -ddns-update-style none; - -# option definitions common to all supported networks... -#option domain-name "labitat.dk"; -default-lease-time 3600; -max-lease-time 7200; -min-lease-time 600; - -# If this DHCP server is the official DHCP server for the local -# network, the authoritative directive should be uncommented. -authoritative; - -# Use this to send dhcp log messages to a different log file (you also -# have to hack syslog.conf to complete the redirection). -log-facility daemon; - - -# Admin net -subnet 10.42.0.0 netmask 255.255.255.0 { - range 10.42.0.50 10.42.0.69; - range 10.42.0.71 10.42.0.250; - option routers 10.42.0.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; - - host ap { - hardware ethernet 00:0f:23:94:43:0b; - fixed-address 10.42.0.2; - } - - host doorputer { - hardware ethernet 00:b3:f6:00:36:be; - fixed-address 10.42.0.3; - } - - host foodputer { - hardware ethernet 00:d0:59:37:5e:37; - fixed-address 10.42.0.4; - } - - # 10.42.0.5: new ap1 - # 10.42.0.6: new ap2 - - host switch { - hardware ethernet 00:1b:11:6f:42:f8; - fixed-address 10.42.0.9; - } - - host spacewand { - hardware ethernet 00:1f:7b:b4:0e:00; - fixed-address 10.42.0.70; - } -} - - -# Wired net -subnet 10.42.1.0 netmask 255.255.255.0 { - range dynamic-bootp 10.42.1.50 10.42.1.250; - option routers 10.42.1.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; - next-server 10.42.1.1; - filename "pxelinux.0"; - - host anna { - hardware ethernet 00:e0:c5:6e:d6:8d; - fixed-address 10.42.1.9; - } - - # Arduino Ethernet Bootloader test - host flummer { - hardware ethernet 90:A2:DA:00:61:EE; - fixed-address 10.42.1.31; - filename "esmil/test.bin"; - } - - host arduino { - hardware ethernet 00:08:DC:00:00:4F; - fixed-address 10.42.1.31; - filename "esmil/setmac.bin"; - } - - host printbrother { - hardware ethernet 00:80:77:06:9f:26; - fixed-address 10.42.1.32; - } - - # Infoscreen Raspberry Pi - host infotron { - hardware ethernet b8:27:eb:2c:5d:3a; - fixed-address 10.42.1.34; - } - host spacemon { - hardware ethernet b8:27:eb:24:f8:50; - fixed-address 10.42.1.35; - } - host jumbotron { - hardware ethernet b8:27:eb:d3:c1:62; - fixed-address 10.42.1.36; - } - host hplaserjet { - hardware ethernet 94:57:a5:ce:e2:6c; - fixed-address 10.42.1.37; - } - - # fake IP til "hemmeligt projekt" - host tlet { - hardware ethernet 00:00:00:00:00:00; - fixed-address 10.42.1.42; - } - - host labisound { - hardware ethernet 00:16:e6:f7:43:b0; - fixed-address 10.42.1.40; - } - - #test riiiis april2014 - host riiiisarduinoserverrebootertest { - fixed-address 10.42.1.49; - } - -} - - -# Private wifi -subnet 10.42.2.0 netmask 255.255.255.0 { - range 10.42.2.50 10.42.2.250; - option routers 10.42.2.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; - next-server 10.42.2.1; - filename "pxelinux.0"; -} - -# Free wifi -subnet 10.42.3.0 netmask 255.255.255.0 { - range 10.42.3.50 10.42.3.250; - option routers 10.42.3.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; - -} - -# Password protected wifi -subnet 10.42.4.0 netmask 255.255.255.0 { - range 10.42.4.50 10.42.4.250; - option routers 10.42.4.1; - option domain-name-servers 185.38.175.0; - #option ntp-servers 90.185.0.18; -} diff --git a/roles/space_server/files/unbound/unbound.conf b/roles/space_server/files/unbound/unbound.conf deleted file mode 100644 index 1679aea..0000000 --- a/roles/space_server/files/unbound/unbound.conf +++ /dev/null @@ -1,142 +0,0 @@ -server: - pidfile: "/run/unbound/unbound.pid" - verbosity: 1 - statistics-interval: 0 - statistics-cumulative: no - extended-statistics: yes - num-threads: 1 - - define-tag: "local" - - interface: 127.0.0.1 - interface: ::1 - interface: 185.38.175.0 - interface: 2a01:4260:1ab:: - - outgoing-interface: 185.38.175.0 - outgoing-interface: 2a01:4260:1ab:: - outgoing-port-permit: 32768-60999 - outgoing-port-avoid: 0-32767 - - so-reuseport: yes - ip-transparent: yes - max-udp-size: 3072 - - access-control-tag: 127.0.0.1/32 "local" - access-control-tag: ::1/128 "local" - - access-control: 185.38.175.0/24 allow - access-control: 10.42.0.0/16 allow - access-control-tag: 10.42.0.0/24 "local" - access-control-tag: 10.42.1.0/24 "local" - access-control-tag: 10.42.2.0/24 "local" - # not free wifi 10.42.3.0/24 - access-control-tag: 10.42.4.0/24 "local" - access-control-tag: 10.42.5.0/24 "local" - access-control: 2a01:4260:1ab::/48 allow - access-control-tag: 2a01:4260:1ab:a::/64 "local" - access-control-tag: 2a01:4260:1ab:b::/64 "local" - access-control-tag: 2a01:4260:1ab:c::/64 "local" - # not free wifi 2a01:4260:1ab:d::/64 - access-control-tag: 2a01:4260:1ab:e::/64 "local" - access-control-tag: 2a01:4260:1ab:f::/64 "local" - - chroot: "" - username: "unbound" - directory: "/etc/unbound" - - use-syslog: yes - log-time-ascii: yes - - harden-glue: yes - harden-dnssec-stripped: yes - harden-below-nxdomain: yes - harden-referral-path: yes - qname-minimisation: yes - - prefetch: yes - prefetch-key: yes - rrset-roundrobin: yes - minimal-responses: yes - - module-config: "validator iterator" - - trust-anchor-signaling: yes - - trusted-keys-file: /etc/unbound/keys.d/*.key - auto-trust-anchor-file: "/var/lib/unbound/root.key" - - val-clean-additional: yes - val-permissive-mode: no - serve-expired: yes - val-log-level: 1 - - local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" - local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." - - local-zone: s. static - local-zone-tag: s. "local" - local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" - local-data: "s. IN NS space.labitat.dk." - local-data: "s. IN A 10.42.1.1" - local-data: "s. IN AAAA 2a01:4260:1ab::" - local-data: "labitrack.s. IN A 185.38.175.70" - local-data: "labitrack.s. IN AAAA 2a01:4260:1ab::cafe" - local-data: "track.s. IN A 185.38.175.70" - local-data: "track.s. IN AAAA 2a01:4260:1ab::cafe" - local-data: "ap.s. IN A 10.42.0.2" - local-data-ptr: "10.42.0.2 ap.s." - local-data: "doorputer.s. IN A 10.42.0.3" - local-data-ptr: "10.42.0.3 doorputer.s." - local-data: "foodputer.s. IN A 10.42.0.4" - local-data-ptr: "10.42.0.4 foodputer.s." - local-data: "ap1.s. IN A 10.42.0.5" - local-data-ptr: "10.42.0.5 ap1.s." - local-data: "ap2.s. IN A 10.42.0.6" - local-data-ptr: "10.42.0.6 ap2.s." - local-data: "switch.s. IN A 10.42.0.9" - local-data-ptr: "10.42.0.9 switch.s." - local-data: "lathe.s. IN A 10.42.0.12" - local-data-ptr: "10.42.0.12 lathe.s." - local-data: "anna.s. IN A 10.42.1.9" - local-data-ptr: "10.42.1.9 anna.s." - local-data: "printbrother.s. IN A 10.42.1.32" - local-data-ptr: "10.42.1.32 printbrother.s." - local-data: "infotron.s. IN A 10.42.1.34" - local-data-ptr: "10.42.1.34 infotron.s." - local-data: "spacemon.s. IN A 10.42.1.35" - local-data-ptr: "10.42.1.35 spacemon.s." - local-data: "jumbotron.s. IN A 10.42.1.36" - local-data-ptr: "10.42.1.36 jumbotron.s." - local-data: "hplaserjet.s. IN A 10.42.1.37" - local-data-ptr: "10.42.1.37 hplaserjet.s." - local-data: "labisound.s. IN A 10.42.1.40" - local-data-ptr: "10.42.1.40 labisound.s." - local-data: "sound.s. IN A 10.42.1.80" - local-data-ptr: "10.42.1.80 sound.s." - -remote-control: - control-enable: yes - control-use-cert: no - control-interface: "/run/unbound/control" diff --git a/roles/space_server/tasks/avahi.yml b/roles/space_server/tasks/avahi.yml index ebf21ef..db8a5ee 100644 --- a/roles/space_server/tasks/avahi.yml +++ b/roles/space_server/tasks/avahi.yml @@ -80,6 +80,13 @@ notify: - restart avahi-daemon +- name: Configure hosts + template: + src: avahi/hosts.j2 + dest: '/etc/avahi/hosts' + notify: + - restart avahi-daemon + - name: Enable avahi-daemon service systemd: name: avahi-daemon.service diff --git a/roles/space_server/tasks/dhcpd.yml b/roles/space_server/tasks/dhcpd.yml index c72fa75..a15ce49 100644 --- a/roles/space_server/tasks/dhcpd.yml +++ b/roles/space_server/tasks/dhcpd.yml @@ -9,8 +9,8 @@ - packages - name: Configure dhcpd - copy: - src: dhcpd/dhcpd.conf + template: + src: dhcpd/dhcpd.conf.j2 dest: '/etc/dhcp/dhcpd.conf' notify: - restart dhcpd diff --git a/roles/space_server/tasks/unbound.yml b/roles/space_server/tasks/unbound.yml index 42db916..a9c4610 100644 --- a/roles/space_server/tasks/unbound.yml +++ b/roles/space_server/tasks/unbound.yml @@ -9,8 +9,8 @@ - packages - name: Configure unbound - copy: - src: unbound/unbound.conf + template: + src: unbound/unbound.conf.j2 dest: '/etc/unbound/unbound.conf' notify: - restart unbound diff --git a/roles/space_server/templates/avahi/hosts.j2 b/roles/space_server/templates/avahi/hosts.j2 new file mode 100644 index 0000000..f87ad4b --- /dev/null +++ b/roles/space_server/templates/avahi/hosts.j2 @@ -0,0 +1,14 @@ +{% for host in local_hosts %} +{% if 'mdns' not in host or host.mdns %} +{% for ip in host.ips | ipv4 %} +{% if loop.index <= 1 %} +{{ ip }} {{ host.name }}.local +{% endif %} +{% endfor %} +{% for ip in host.ips | ipv6 %} +{% if loop.index <= 1 %} +{{ ip }} {{ host.name }}.local +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} diff --git a/roles/space_server/templates/dhcpd/dhcpd.conf.j2 b/roles/space_server/templates/dhcpd/dhcpd.conf.j2 new file mode 100644 index 0000000..1b832e1 --- /dev/null +++ b/roles/space_server/templates/dhcpd/dhcpd.conf.j2 @@ -0,0 +1,203 @@ +# +# DHCP Server Configuration file. +# see /usr/share/doc/dhcp/dhcpd.conf.example +# see dhcpd.conf(5) man page +# + +# The ddns-updates-style parameter controls whether or not the server will +# attempt to do a DNS update when a lease is confirmed. We default to the +# behavior of the version 2 packages ('none', since DHCP v2 didn't +# have support for DDNS.) +ddns-update-style none; + +# option definitions common to all supported networks... +#option domain-name "labitat.dk"; +default-lease-time 3600; +max-lease-time 7200; +min-lease-time 600; + +# If this DHCP server is the official DHCP server for the local +# network, the authoritative directive should be uncommented. +authoritative; + +# Use this to send dhcp log messages to a different log file (you also +# have to hack syslog.conf to complete the redirection). +log-facility daemon; + + +# Admin net +subnet 10.42.0.0 netmask 255.255.255.0 { + range 10.42.0.50 10.42.0.69; + range 10.42.0.71 10.42.0.250; + option routers 10.42.0.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.0.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.0.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} + + host spacewand { + hardware ethernet 00:1f:7b:b4:0e:00; + fixed-address 10.42.0.70; + } +} + + +# Wired net +subnet 10.42.1.0 netmask 255.255.255.0 { + range dynamic-bootp 10.42.1.50 10.42.1.250; + option routers 10.42.1.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + next-server 10.42.1.1; + filename "pxelinux.0"; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.1.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.1.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} + + +# Private wifi +subnet 10.42.2.0 netmask 255.255.255.0 { + range 10.42.2.50 10.42.2.250; + option routers 10.42.2.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; + next-server 10.42.2.1; + filename "pxelinux.0"; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.2.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.2.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} + +# Free wifi +subnet 10.42.3.0 netmask 255.255.255.0 { + range 10.42.3.50 10.42.3.250; + option routers 10.42.3.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.3.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.3.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} + +# Password protected wifi +subnet 10.42.4.0 netmask 255.255.255.0 { + range 10.42.4.50 10.42.4.250; + option routers 10.42.4.1; + option domain-name-servers 185.38.175.0; + #option ntp-servers 90.185.0.18; +{% for host in local_hosts %} +{% if host.ips | ipaddr('10.42.4.0/24') %} +{% if 'mac' in host %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + host {{ host.name }} { + hardware ethernet {{ host.mac }}; + fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }}; +{% if 'filename' in host %} + filename "{{ host.filename }}"; +{% endif %} + } +{% else %} + +{% if 'description' in host %} + # {{ host.description }} +{% endif %} + #host {{ host.name }} { + # fixed-address {{ host.ips | ipaddr('10.42.4.0/24') | first }}; + #} +{% endif %} +{% endif %} +{% endfor %} +} diff --git a/roles/space_server/templates/unbound/unbound.conf.j2 b/roles/space_server/templates/unbound/unbound.conf.j2 new file mode 100644 index 0000000..d2d3aed --- /dev/null +++ b/roles/space_server/templates/unbound/unbound.conf.j2 @@ -0,0 +1,126 @@ +server: + pidfile: "/run/unbound/unbound.pid" + verbosity: 1 + statistics-interval: 0 + statistics-cumulative: no + extended-statistics: yes + num-threads: 1 + + define-tag: "local" + + interface: 127.0.0.1 + interface: ::1 + interface: 185.38.175.0 + interface: 2a01:4260:1ab:: + + outgoing-interface: 185.38.175.0 + outgoing-interface: 2a01:4260:1ab:: + outgoing-port-permit: 32768-60999 + outgoing-port-avoid: 0-32767 + + so-reuseport: yes + ip-transparent: yes + max-udp-size: 3072 + + access-control-tag: 127.0.0.1/32 "local" + access-control-tag: ::1/128 "local" + + access-control: 185.38.175.0/24 allow + access-control: 10.42.0.0/16 allow + access-control-tag: 10.42.0.0/24 "local" + access-control-tag: 10.42.1.0/24 "local" + access-control-tag: 10.42.2.0/24 "local" + # not free wifi 10.42.3.0/24 + access-control-tag: 10.42.4.0/24 "local" + access-control-tag: 10.42.5.0/24 "local" + access-control: 2a01:4260:1ab::/48 allow + access-control-tag: 2a01:4260:1ab:a::/64 "local" + access-control-tag: 2a01:4260:1ab:b::/64 "local" + access-control-tag: 2a01:4260:1ab:c::/64 "local" + # not free wifi 2a01:4260:1ab:d::/64 + access-control-tag: 2a01:4260:1ab:e::/64 "local" + access-control-tag: 2a01:4260:1ab:f::/64 "local" + + chroot: "" + username: "unbound" + directory: "/etc/unbound" + + use-syslog: yes + log-time-ascii: yes + + harden-glue: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-referral-path: yes + qname-minimisation: yes + + prefetch: yes + prefetch-key: yes + rrset-roundrobin: yes + minimal-responses: yes + + module-config: "validator iterator" + + trust-anchor-signaling: yes + + trusted-keys-file: /etc/unbound/keys.d/*.key + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + val-clean-additional: yes + val-permissive-mode: no + serve-expired: yes + val-log-level: 1 + + local-zone: a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "a.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "b.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "c.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "d.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "e.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. static + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN SOA space.labitat.dk. nobody.invalid. 1 3600 1200 604800 10800" + local-data: "f.0.0.0.b.a.1.0.0.6.2.4.1.0.a.2.ip6.arpa. IN NS space.labitat.dk." + + local-zone: s. static + local-zone-tag: s. "local" + local-data: "s. IN SOA space.labitat.dk. esmil.labitat.dk. 20171119 3600 1200 604800 10800" + local-data: "s. IN NS space.labitat.dk." + local-data: "s. IN A 10.42.1.1" + local-data: "s. IN AAAA 2a01:4260:1ab::" + local-data: "labitrack.s. IN A 185.38.175.70" + local-data: "labitrack.s. IN AAAA 2a01:4260:1ab::cafe" + local-data: "track.s. IN A 185.38.175.70" + local-data: "track.s. IN AAAA 2a01:4260:1ab::cafe" +{% for host in local_hosts %} +{% for ip in host.ips | ipv4 %} +{% if loop.index <= 1 %} + local-data: "{{ host.name }}.s. IN A {{ ip }}" + local-data-ptr: "{{ ip }} {{ host.name }}.s." +{% endif %} +{% endfor %} +{% for ip in host.ips | ipv6 %} +{% if loop.index <= 1 %} + local-data: "{{ host.name }}.s. IN AAAA {{ ip }}" + local-data-ptr: "{{ ip }} {{ host.name }}.s." +{% endif %} +{% endfor %} +{% endfor %} + +remote-control: + control-enable: yes + control-use-cert: no + control-interface: "/run/unbound/control" -- cgit v1.2.1