From c9a1def59e3e7f758a93b57edca1dec5e203e3c4 Mon Sep 17 00:00:00 2001
From: Ada <ada@gnous.eu>
Date: Sun, 24 Mar 2024 22:12:56 +0100
Subject: [PATCH] Add knot roles
---
ansible/deploy.yml | 2 +-
ansible/hosts.yml | 9 +++++++
ansible/roles/authentik/handlers/main.yml | 19 ++++++++++++++
ansible/roles/authentik/tasks/main.yml | 21 +++++++++++++++
.../roles/authentik/templates/kresd.conf.j2 | 26 +++++++++++++++++++
5 files changed, 76 insertions(+), 1 deletion(-)
create mode 100644 ansible/roles/authentik/handlers/main.yml
create mode 100644 ansible/roles/authentik/tasks/main.yml
create mode 100644 ansible/roles/authentik/templates/kresd.conf.j2
diff --git a/ansible/deploy.yml b/ansible/deploy.yml
index cc09b0b..c728576 100644
--- a/ansible/deploy.yml
+++ b/ansible/deploy.yml
@@ -12,7 +12,7 @@
- role: timesyncd
when: ansible_facts['os_family'] == "Debian"
- role: ufw
- when: ansible_facts['os_family'] == "Debian"
+ when: ansible_facts['os_family'] == "Ubuntu"
- name: Resolver
hosts: resolver
diff --git a/ansible/hosts.yml b/ansible/hosts.yml
index ca71b3a..bdab6a3 100644
--- a/ansible/hosts.yml
+++ b/ansible/hosts.yml
@@ -1,19 +1,28 @@
+<<<<<<< HEAD
---
+=======
+>>>>>>> 2410885 (Add knot roles)
all:
hosts:
resolver-1:
ansible_host: 10.20.0.42
+<<<<<<< HEAD
dhcp-1:
ansible_host: 10.20.0.43
authoritative-1:
ansible_host: 10.20.0.44
+=======
+>>>>>>> 2410885 (Add knot roles)
children:
resolver:
hosts:
resolver-1:
+<<<<<<< HEAD
kea-dhcp:
hosts:
dhcp-1:
dns-authoritative:
hosts:
authoritative-1:
+=======
+>>>>>>> 2410885 (Add knot roles)
diff --git a/ansible/roles/authentik/handlers/main.yml b/ansible/roles/authentik/handlers/main.yml
new file mode 100644
index 0000000..e40da42
--- /dev/null
+++ b/ansible/roles/authentik/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Package cache update
+ become: true
+ ansible.builtin.package:
+ update_cache: true
+
+- name: Restart knot resolver
+ become: true
+ ansible.builtin.service:
+ state: restarted
+ name: kresd@{{ item }}.service
+ with_sequence: count={{ ansible_processor_vcpus }}
+
+- name: Enable knot resolver
+ become: true
+ ansible.builtin.service:
+ enabled: true
+ name: kresd@{{ item }}.service
+ with_sequence: count={{ ansible_processor_vcpus }}
diff --git a/ansible/roles/authentik/tasks/main.yml b/ansible/roles/authentik/tasks/main.yml
new file mode 100644
index 0000000..e798b06
--- /dev/null
+++ b/ansible/roles/authentik/tasks/main.yml
@@ -0,0 +1,21 @@
+---
+- name: Install knot repository
+ ansible.builtin.apt:
+ deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
+ notify:
+ - Package cache update
+
+- name: Install knot resolver
+ ansible.builtin.apt:
+ name: knot-resolver
+ notify:
+ - Enable knot resolver
+ - Restart knot resolver
+
+- name: Configure
+ ansible.builtin.template:
+ src: kresd.conf.j2
+ dest: /etc/knot-resolver/kresd.conf
+ mode: "0644"
+ notify:
+ - Restart knot resolver
diff --git a/ansible/roles/authentik/templates/kresd.conf.j2 b/ansible/roles/authentik/templates/kresd.conf.j2
new file mode 100644
index 0000000..8754040
--- /dev/null
+++ b/ansible/roles/authentik/templates/kresd.conf.j2
@@ -0,0 +1,26 @@
+net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
+cache.size = 128 * MB
+modules = {
+ 'hints > iterate', -- Allow loading /etc/hosts or custom root hints
+ 'predict', -- Prefetch expiring/frequent records
+}
+
+modules.load('prefill')
+prefill.config({
+ ['.'] = {
+ url = 'https://www.internic.net/domain/root.zone',
+ interval = 86400, -- seconds
+ }
+})
+
+modules.load('view')
+view:addr('127.0.0.0/8', policy.all(policy.PASS))
+view:addr('::1/128', policy.all(policy.PASS))
+{% for prefix in kresd_allow %}
+view:addr('{{ prefix }}', policy.all(policy.PASS))
+{% endfor %}
+view:addr('0.0.0.0/0', policy.all(policy.DROP))
+view:addr('::/0', policy.all(policy.DROP))
+
+log_target('stdout')
+log_level('debug')
\ No newline at end of file