(wanna be) full dns stack ansible role
Go to file
2022-03-11 11:43:14 +01:00
handlers Restart also unbound when updating zones 2020-11-04 01:10:54 +01:00
keys Optionally filter by role in gen_key script 2020-11-04 01:12:05 +01:00
tasks Switch to bullseye 2022-03-11 11:43:14 +01:00
templates Forward to google resolver 2020-11-04 01:11:31 +01:00
.gitignore Ignore vagrant dir and ansible vault password file 2020-08-03 19:30:51 +02:00
ansible.cfg Fix ansible role search paths 2020-08-18 22:52:12 +02:00
inventory Init 2020-08-03 19:25:51 +02:00
playbook.yml Switch to bullseye 2022-03-11 11:43:14 +01:00
README.md Use more recent versions 2020-08-19 18:47:30 +02:00
test_vars.yml Init 2020-08-03 19:25:51 +02:00
Vagrantfile Init 2020-08-03 19:25:51 +02:00

Full DNS

Wannabe full-stack dns ansible role

Wat?

This role aims to configure (only on debian stable systems) a working dns stack that aims to offer for own zones:

  • authoritative DNS via nsd
  • primary/secondaries replication (with AXFR queries only on secure wireguard ptp tunnel)
  • DNS caching via unbound
  • DNSSEC
  • DNS-over-TLS
  • DNS-over-HTTPS (eventually via doh-proxy)
  • A bit of hardening here and there

Why?

I need it for my servers

How?

You need jnv.debian-backports as prerequisite role:

$ ansible-galaxy install jnv.debian-backports

Configure appropriately your inventory to include one main zone and pointing out the primary (star) and the secondaries (satellite). An example variable file looks like this

---
dns_server:
  verbosity: 3
  main_zone:
    name: foundation.lan
    soa: sagittarius.foundation.lan
    email: postmaster.foundation.lan
    records:
      - {name: "", type: MX, value: "10 terminus"}
      - {name: "", type: MX, value: "20 trantor"}
  zones:
    - name: seldon.org
      soa: sagittarius.seldon.org
      email: postmaster.seldon.org
      records:
        - {name: sagittarius, type: A, value: 192.168.123.20}
        - {name: hari, type: A, value: 192.168.123.21}
        - {name: "", type: MX, value: "10 sagittarius"}
        - {name: "", type: MX, value: "40 the.mule.net."}
    - name: mule.net
      soa: the.mule.net
      email: postmaster@foundation.net
      records:
        - {name: the, type: A, value: 10.13.12.20}
        - {name: "", type: MX, value: "10 sagittarius.seldon.org."}
        - {name: "", type: MX, value: "40 the"}
        - {name: _special_key, type: TXT, value: "GOTCHA"}
  servers:

    - name: sagittariusAstar
      hostname: sagittarius.foundation.lan
      local_resolver: true
      nsd_addr: 127.0.0.1
      nsd_port: 5353
      star: true
      public_ip: 192.168.123.20
      vpn:
        address: 10.13.12.20
        net_size: 24
        private_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          62346638623333623232376462346232316233653633343634376235393662396462326566633632
          3538386564616436343138343832383362653730396532350a353632323562666333383066353437
          31326366356139383636643663303263623537303730643236333363653135386636653064656163
          3166656534663766300a383232323561303436343562363433636432613636653866636364613464
          38663164646533656363613137353963643735633433303036316634373033306138306137356338
          6239666465306638313037343231373663633833626130623462
        public_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          65343336343938626332646439393065626636353837326166303239373463636664656535336365
          6138326166653438346466336533656136653665313832350a616431646232306436366166666537
          37313139303532663165343731666234633532323633646561353261613138666238353534633361
          3931393637333339630a343465363766626536663530656535323265373864376165343737633033
          31313262313133356364653964356537303761313135613464373031326334323933323033303733
          3861373164663366313766663835636561356565383363373433

    - name: trantor
      hostname: trantor.foundation.lan
      local_resolver: true
      nsd_addr: 127.0.0.1
      nsd_port: 5353
      satellite: true
      public_ip: 192.168.123.21
      vpn:
        address: 10.13.12.21
        net_size: 24
        private_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          37646262626137633331326438306463353538636332353134306161333962356138663535666538
          3064373263313763363630333733313966636665373130660a313163653136323634626431633161
          35323831386164366534616265313532343961333734376362643637353332346434373461386362
          3130656639303738620a313938376562373566646530383339376139623662633865306262393031
          33623661313739653966643766613734653665353337663435336430633730643461346363613961
          3531643132353633626333663539653839343963333037666536
        public_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          64613433666138303634653661633536356362396431363134383736653539613237643839643565
          6235326661333562646237623761356364376234383965300a666431663262346162633131363264
          65623238663838643531343065353039306231323836326335323463303161333938613231303139
          3132646335326339640a396162303436326231643364653637633036303137646666376138386637
          66303465653361366565626139656665303162316663616634363361346534643161663932313434
          6263316630323532346666373839613037303334316537366434

    - name: terminus
      hostname: terminus.foundation.lan
      nsd_addr: 127.0.0.1
      nsd_port: 5353
      satellite: true
      public_ip: 192.168.123.22
      vpn:
        address: 10.13.12.22
        net_size: 24
        private_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66623362633739316266376234363561656639376637666165323465643738323664643261613065
          6463663063633163313432373564363636663234303264350a303032373336333133353766376364
          37663965663837663936383265346164343563656636623133346132626664383262356465313836
          3932666563326363660a306463383364386662613563653136333061326434373731323231323763
          64353130336661306266636565626561376465393737663832303633633436343633363861616364
          6436623833326632353363333862616634366133323534666166
        public_key: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66333135396638326166396264386535646633663730333632306166633166323230376563316466
          3230383366336466623738613134346439303933346661630a626637313036613135656435343334
          30643530363638326264316664393833666134613234333435333831353966383162633862303063
          6665653534313461660a633566656130616562636337373434333037313030356336643266313135
          35663563626137653065633463613966363961343138656566333731373833366164333136313032
          3434343664333661346339373233373739393332636433363433

the public_key and private_key blocks can be generated with the provided python script. The usage is:

Usage:
    gen_keys.py <path/to/inventory> <path/to/vault_password_file>

The keys are output in the same path, at result.yml in an easy-to-copy form, yet per-host divided.