Add knot roles

ansible/deploy.yml

@@ -10,9 +10,7 @@
     - journald
     - sshd
     - role: timesyncd
-      when: ansible_facts['os_family'] == "Debian"
+      when: ansible_facts['os_family'] == "Ubuntu"
-    - role: ufw
-      when: ansible_facts['os_family'] == "Debian"
 
 - name: Resolver
   hosts: resolver

ansible/packer.yml

@@ -10,9 +10,7 @@
     - journald
     - sshd
     - role: timesyncd
-      when: ansible_facts['os_family'] == "Debian"
+      when: ansible_facts['os_family'] == "Ubuntu"
-    - role: ufw
-      when: ansible_facts['os_family'] == "Debian"
   post_tasks:
     - name: Clean cloud-init
       ansible.builtin.command: cloud-init clean

ansible/roles/authentik/handlers/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Package cache update
+  become: true
+  ansible.builtin.package:
+    update_cache: true
+
+- name: Restart knot resolver
+  become: true
+  ansible.builtin.service:
+    state: restarted
+    name: kresd@{{ item }}.service
+  with_sequence: count={{ ansible_processor_vcpus }}
+
+- name: Enable knot resolver
+  become: true
+  ansible.builtin.service:
+    enabled: true
+    name: kresd@{{ item }}.service
+  with_sequence: count={{ ansible_processor_vcpus }}

ansible/roles/authentik/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Install knot repository
+  ansible.builtin.apt:
+    deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
+  notify:
+    - Package cache update
+
+- name: Install knot resolver
+  ansible.builtin.apt:
+    name: knot-resolver
+  notify:
+    - Enable knot resolver
+    - Restart knot resolver
+
+- name: Configure
+  ansible.builtin.template:
+    src: kresd.conf.j2
+    dest: /etc/knot-resolver/kresd.conf
+    mode: "0644"
+  notify:
+    - Restart knot resolver

ansible/roles/authentik/templates/kresd.conf.j2

@@ -0,0 +1,26 @@
+net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
+cache.size = 128 * MB
+modules = {
+	'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
+	'predict',          -- Prefetch expiring/frequent records
+}
+
+modules.load('prefill')
+prefill.config({
+    ['.'] = {
+        url = 'https://www.internic.net/domain/root.zone',
+        interval = 86400, -- seconds
+    }
+})
+
+modules.load('view')
+view:addr('127.0.0.0/8', policy.all(policy.PASS))
+view:addr('::1/128', policy.all(policy.PASS))
+{% for prefix in kresd_allow %}
+view:addr('{{ prefix }}', policy.all(policy.PASS))
+{% endfor %}
+view:addr('0.0.0.0/0', policy.all(policy.DROP))
+view:addr('::/0', policy.all(policy.DROP))
+
+log_target('stdout')
+log_level('debug') 

ansible/roles/fail2ban/templates/sshd.conf.j2

@@ -2,7 +2,7 @@
 enabled = true
 bantime = -1
 maxretry = 3
-backend = systemd
 {% if ansible_facts['os_family'] == "RedHat" %}
+backend = systemd
 banaction = firewallcmd-ipset
 {% endif %}

ansible/roles/knot_resolver/tasks/main.yml

@@ -19,12 +19,3 @@
     mode: "0644"
   notify:
     - Restart knot resolver
-
-- name: Allow port 53 (DNS)
-  community.general.ufw:
-    rule: allow
-    port: "{{ item.port }}"
-    proto: "{{ item.proto }}"
-  with_items:
-    - { port: "53", proto: "tcp" }
-    - { port: "53", proto: "udp" }

ansible/roles/ufw/tasks/main.yml

@@ -1,14 +0,0 @@
----
-- name: Install UFW
-  ansible.builtin.apt:
-    name: ufw
-
-- name: Allow 22/tcp (SSH)
-  community.general.ufw:
-    rule: allow
-    port: "22"
-    proto: tcp
-
-- name: Enable UFW
-  community.general.ufw:
-    state: enabled