diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint
index 0c31185..4534b90 100644
--- a/ansible/.ansible-lint
+++ b/ansible/.ansible-lint
@@ -1,2 +1,3 @@
+---
skip_list:
- - '403' # Package installs should not use latest.
+ - "403" # Package installs should not use latest.
diff --git a/ansible/deploy.yml b/ansible/deploy.yml
new file mode 100644
index 0000000..8e522c3
--- /dev/null
+++ b/ansible/deploy.yml
@@ -0,0 +1,19 @@
+---
+- name: Configure base
+ hosts: all
+ become: true
+ roles:
+ - role: dnf
+ when: ansible_facts['os_family'] == "RedHat"
+ - auditd
+ - fail2ban
+ - journald
+ - sshd
+ - role: timesyncd
+ when: ansible_facts['os_family'] == "Ubuntu"
+
+- name: Resolver
+ hosts: resolver
+ become: true
+ roles:
+ - knot_resolver
diff --git a/ansible/group_vars/all/all.yml b/ansible/group_vars/all/all.yml
new file mode 100644
index 0000000..bf06815
--- /dev/null
+++ b/ansible/group_vars/all/all.yml
@@ -0,0 +1,2 @@
+---
+resolver_ip: 10.20.0.42
diff --git a/ansible/group_vars/resolver/all.yml b/ansible/group_vars/resolver/all.yml
new file mode 100644
index 0000000..7b8e1fa
--- /dev/null
+++ b/ansible/group_vars/resolver/all.yml
@@ -0,0 +1,4 @@
+---
+kresd_allow:
+ - 10.0.0.0/8
+ - 172.16.0.0/12
diff --git a/ansible/hosts.yml b/ansible/hosts.yml
new file mode 100644
index 0000000..db621ac
--- /dev/null
+++ b/ansible/hosts.yml
@@ -0,0 +1,8 @@
+all:
+ hosts:
+ resolver-1:
+ ansible_host: 10.20.0.42
+ children:
+ resolver:
+ hosts:
+ resolver-1:
diff --git a/ansible/packer.yml b/ansible/packer.yml
index d5bf1ee..5df8ea6 100644
--- a/ansible/packer.yml
+++ b/ansible/packer.yml
@@ -13,5 +13,5 @@
when: ansible_facts['os_family'] == "Ubuntu"
post_tasks:
- name: Clean cloud-init
- ansible.builtin.command: "cloud-init clean"
+ ansible.builtin.command: cloud-init clean
changed_when: false
diff --git a/ansible/roles/auditd/tasks/main.yml b/ansible/roles/auditd/tasks/main.yml
index 0c1cf00..90acfb8 100755
--- a/ansible/roles/auditd/tasks/main.yml
+++ b/ansible/roles/auditd/tasks/main.yml
@@ -19,6 +19,6 @@
- name: Add rules
ansible.builtin.copy:
- src: 'custom.rules'
- dest: '/etc/audit/rules.d/custom.rules'
+ src: custom.rules
+ dest: /etc/audit/rules.d/custom.rules
mode: "0640"
diff --git a/ansible/roles/dnf/tasks/main.yml b/ansible/roles/dnf/tasks/main.yml
index fffeaa0..699c785 100644
--- a/ansible/roles/dnf/tasks/main.yml
+++ b/ansible/roles/dnf/tasks/main.yml
@@ -6,5 +6,5 @@
- name: Install epel
ansible.builtin.dnf:
- name: "epel-release"
- state: "latest"
+ name: epel-release
+ state: latest
diff --git a/ansible/roles/fail2ban/tasks/main.yml b/ansible/roles/fail2ban/tasks/main.yml
index 07c6109..b763312 100755
--- a/ansible/roles/fail2ban/tasks/main.yml
+++ b/ansible/roles/fail2ban/tasks/main.yml
@@ -1,20 +1,20 @@
---
- name: Install fail2ban
ansible.builtin.apt:
- name: "fail2ban"
+ name: fail2ban
state: latest
when: ansible_facts['os_family'] == "Debian"
- name: Install fail2ban
ansible.builtin.dnf:
- name: "fail2ban"
+ name: fail2ban
state: latest
when: ansible_facts['os_family'] == "RedHat"
- name: Copy sshd.conf
ansible.builtin.template:
- src: 'sshd.conf.j2'
- dest: '/etc/fail2ban/jail.d/sshd.conf'
+ src: sshd.conf.j2
+ dest: /etc/fail2ban/jail.d/sshd.conf
mode: "0640"
notify:
- Restart fail2ban
diff --git a/ansible/roles/journald/tasks/main.yml b/ansible/roles/journald/tasks/main.yml
index 45400e5..880d904 100755
--- a/ansible/roles/journald/tasks/main.yml
+++ b/ansible/roles/journald/tasks/main.yml
@@ -1,14 +1,14 @@
---
- name: Create /etc/systemd/journald.conf.d
ansible.builtin.file:
- path: '/etc/systemd/journald.conf.d'
- state: 'directory'
+ path: /etc/systemd/journald.conf.d
+ state: directory
mode: "0750"
- name: Copy retention-time.conf
ansible.builtin.copy:
- src: 'retention-time.conf'
- dest: '/etc/systemd/journald.conf.d'
+ src: retention-time.conf
+ dest: /etc/systemd/journald.conf.d
mode: "0640"
notify:
- Restart journald
diff --git a/ansible/roles/knot_resolver/handlers/main.yml b/ansible/roles/knot_resolver/handlers/main.yml
new file mode 100644
index 0000000..e40da42
--- /dev/null
+++ b/ansible/roles/knot_resolver/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Package cache update
+ become: true
+ ansible.builtin.package:
+ update_cache: true
+
+- name: Restart knot resolver
+ become: true
+ ansible.builtin.service:
+ state: restarted
+ name: kresd@{{ item }}.service
+ with_sequence: count={{ ansible_processor_vcpus }}
+
+- name: Enable knot resolver
+ become: true
+ ansible.builtin.service:
+ enabled: true
+ name: kresd@{{ item }}.service
+ with_sequence: count={{ ansible_processor_vcpus }}
diff --git a/ansible/roles/knot_resolver/tasks/main.yml b/ansible/roles/knot_resolver/tasks/main.yml
new file mode 100644
index 0000000..e798b06
--- /dev/null
+++ b/ansible/roles/knot_resolver/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+- name: Install knot repository
+ ansible.builtin.apt:
+ deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
+ notify:
+ - Package cache update
+
+- name: Install knot resolver
+ ansible.builtin.apt:
+ name: knot-resolver
+ notify:
+ - Enable knot resolver
+ - Restart knot resolver
+
+- name: Configure
+ ansible.builtin.template:
+ src: kresd.conf.j2
+ dest: /etc/knot-resolver/kresd.conf
+ mode: "0644"
+ notify:
+ - Restart knot resolver
diff --git a/ansible/roles/knot_resolver/templates/kresd.conf.j2 b/ansible/roles/knot_resolver/templates/kresd.conf.j2
new file mode 100644
index 0000000..8754040
--- /dev/null
+++ b/ansible/roles/knot_resolver/templates/kresd.conf.j2
@@ -0,0 +1,26 @@
+net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
+cache.size = 128 * MB
+modules = {
+ 'hints > iterate', -- Allow loading /etc/hosts or custom root hints
+ 'predict', -- Prefetch expiring/frequent records
+}
+
+modules.load('prefill')
+prefill.config({
+ ['.'] = {
+ url = 'https://www.internic.net/domain/root.zone',
+ interval = 86400, -- seconds
+ }
+})
+
+modules.load('view')
+view:addr('127.0.0.0/8', policy.all(policy.PASS))
+view:addr('::1/128', policy.all(policy.PASS))
+{% for prefix in kresd_allow %}
+view:addr('{{ prefix }}', policy.all(policy.PASS))
+{% endfor %}
+view:addr('0.0.0.0/0', policy.all(policy.DROP))
+view:addr('::/0', policy.all(policy.DROP))
+
+log_target('stdout')
+log_level('debug')
\ No newline at end of file
diff --git a/ansible/roles/sshd/handlers/main.yml b/ansible/roles/sshd/handlers/main.yml
index 89aa775..435d655 100644
--- a/ansible/roles/sshd/handlers/main.yml
+++ b/ansible/roles/sshd/handlers/main.yml
@@ -1,3 +1,4 @@
+---
- name: Restart SSH
ansible.builtin.service:
name: sshd
diff --git a/ansible/roles/sshd/tasks/main.yml b/ansible/roles/sshd/tasks/main.yml
index 31f34f7..4bb826d 100644
--- a/ansible/roles/sshd/tasks/main.yml
+++ b/ansible/roles/sshd/tasks/main.yml
@@ -2,8 +2,8 @@
- name: Disable Password Authentication
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
- regexp: '^PasswordAuthentication'
- line: "PasswordAuthentication no"
+ regexp: ^PasswordAuthentication
+ line: PasswordAuthentication no
state: present
backup: true
notify:
@@ -12,8 +12,8 @@
- name: Disable Root Login
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
- regexp: '^PermitRootLogin'
- line: "PermitRootLogin no"
+ regexp: ^PermitRootLogin
+ line: PermitRootLogin no
state: present
backup: true
notify:
@@ -22,8 +22,8 @@
- name: Restrict host key
ansible.builtin.lineinfile:
dest: /etc/ssh/sshd_config
- regexp: '#HostKey /etc/ssh/ssh_host_ed25519_key'
- line: "HostKey /etc/ssh/ssh_host_ed25519_key"
+ regexp: "#HostKey /etc/ssh/ssh_host_ed25519_key"
+ line: HostKey /etc/ssh/ssh_host_ed25519_key
state: present
backup: true
notify:
@@ -31,8 +31,8 @@
- name: Configure sshd
ansible.builtin.copy:
- src: "crypto.conf"
- dest: "/etc/ssh/sshd_config.d/"
+ src: crypto.conf
+ dest: /etc/ssh/sshd_config.d/
owner: root
group: root
mode: "0640"
diff --git a/ansible/roles/timesyncd/tasks/main.yml b/ansible/roles/timesyncd/tasks/main.yml
index 51079fe..f747c0c 100755
--- a/ansible/roles/timesyncd/tasks/main.yml
+++ b/ansible/roles/timesyncd/tasks/main.yml
@@ -4,5 +4,5 @@
name: Europe/Brussels
- name: Enable ntp
- ansible.builtin.command: 'timedatectl set-ntp true'
+ ansible.builtin.command: timedatectl set-ntp true
changed_when: false