diff --git a/ansible/deploy.yml b/ansible/deploy.yml index cc09b0b..c728576 100644 --- a/ansible/deploy.yml +++ b/ansible/deploy.yml @@ -12,7 +12,7 @@ - role: timesyncd when: ansible_facts['os_family'] == "Debian" - role: ufw - when: ansible_facts['os_family'] == "Debian" + when: ansible_facts['os_family'] == "Ubuntu" - name: Resolver hosts: resolver diff --git a/ansible/hosts.yml b/ansible/hosts.yml index ca71b3a..bdab6a3 100644 --- a/ansible/hosts.yml +++ b/ansible/hosts.yml @@ -1,19 +1,28 @@ +<<<<<<< HEAD --- +======= +>>>>>>> 2410885 (Add knot roles) all: hosts: resolver-1: ansible_host: 10.20.0.42 +<<<<<<< HEAD dhcp-1: ansible_host: 10.20.0.43 authoritative-1: ansible_host: 10.20.0.44 +======= +>>>>>>> 2410885 (Add knot roles) children: resolver: hosts: resolver-1: +<<<<<<< HEAD kea-dhcp: hosts: dhcp-1: dns-authoritative: hosts: authoritative-1: +======= +>>>>>>> 2410885 (Add knot roles) diff --git a/ansible/roles/authentik/handlers/main.yml b/ansible/roles/authentik/handlers/main.yml new file mode 100644 index 0000000..e40da42 --- /dev/null +++ b/ansible/roles/authentik/handlers/main.yml @@ -0,0 +1,19 @@ +--- +- name: Package cache update + become: true + ansible.builtin.package: + update_cache: true + +- name: Restart knot resolver + become: true + ansible.builtin.service: + state: restarted + name: kresd@{{ item }}.service + with_sequence: count={{ ansible_processor_vcpus }} + +- name: Enable knot resolver + become: true + ansible.builtin.service: + enabled: true + name: kresd@{{ item }}.service + with_sequence: count={{ ansible_processor_vcpus }} diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml new file mode 100644 index 0000000..e798b06 --- /dev/null +++ b/ansible/roles/authentik/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install knot repository + ansible.builtin.apt: + deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb + notify: + - Package cache update + +- name: Install knot resolver + ansible.builtin.apt: + name: knot-resolver + notify: + - Enable knot resolver + - Restart knot resolver + +- name: Configure + ansible.builtin.template: + src: kresd.conf.j2 + dest: /etc/knot-resolver/kresd.conf + mode: "0644" + notify: + - Restart knot resolver diff --git a/ansible/roles/authentik/templates/kresd.conf.j2 b/ansible/roles/authentik/templates/kresd.conf.j2 new file mode 100644 index 0000000..8754040 --- /dev/null +++ b/ansible/roles/authentik/templates/kresd.conf.j2 @@ -0,0 +1,26 @@ +net.listen('{{resolver_ip}}', 53, { kind = 'dns'}) +cache.size = 128 * MB +modules = { + 'hints > iterate', -- Allow loading /etc/hosts or custom root hints + 'predict', -- Prefetch expiring/frequent records +} + +modules.load('prefill') +prefill.config({ + ['.'] = { + url = 'https://www.internic.net/domain/root.zone', + interval = 86400, -- seconds + } +}) + +modules.load('view') +view:addr('127.0.0.0/8', policy.all(policy.PASS)) +view:addr('::1/128', policy.all(policy.PASS)) +{% for prefix in kresd_allow %} +view:addr('{{ prefix }}', policy.all(policy.PASS)) +{% endfor %} +view:addr('0.0.0.0/0', policy.all(policy.DROP)) +view:addr('::/0', policy.all(policy.DROP)) + +log_target('stdout') +log_level('debug') \ No newline at end of file