Compare commits
1 commit
46bbe11161
...
2410885737
Author | SHA1 | Date | |
---|---|---|---|
2410885737 |
8 changed files with 69 additions and 30 deletions
|
@ -10,9 +10,7 @@
|
|||
- journald
|
||||
- sshd
|
||||
- role: timesyncd
|
||||
when: ansible_facts['os_family'] == "Debian"
|
||||
- role: ufw
|
||||
when: ansible_facts['os_family'] == "Debian"
|
||||
when: ansible_facts['os_family'] == "Ubuntu"
|
||||
|
||||
- name: Resolver
|
||||
hosts: resolver
|
||||
|
|
|
@ -10,9 +10,7 @@
|
|||
- journald
|
||||
- sshd
|
||||
- role: timesyncd
|
||||
when: ansible_facts['os_family'] == "Debian"
|
||||
- role: ufw
|
||||
when: ansible_facts['os_family'] == "Debian"
|
||||
when: ansible_facts['os_family'] == "Ubuntu"
|
||||
post_tasks:
|
||||
- name: Clean cloud-init
|
||||
ansible.builtin.command: cloud-init clean
|
||||
|
|
19
ansible/roles/authentik/handlers/main.yml
Normal file
19
ansible/roles/authentik/handlers/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Package cache update
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
update_cache: true
|
||||
|
||||
- name: Restart knot resolver
|
||||
become: true
|
||||
ansible.builtin.service:
|
||||
state: restarted
|
||||
name: kresd@{{ item }}.service
|
||||
with_sequence: count={{ ansible_processor_vcpus }}
|
||||
|
||||
- name: Enable knot resolver
|
||||
become: true
|
||||
ansible.builtin.service:
|
||||
enabled: true
|
||||
name: kresd@{{ item }}.service
|
||||
with_sequence: count={{ ansible_processor_vcpus }}
|
21
ansible/roles/authentik/tasks/main.yml
Normal file
21
ansible/roles/authentik/tasks/main.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
---
|
||||
- name: Install knot repository
|
||||
ansible.builtin.apt:
|
||||
deb: https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
|
||||
notify:
|
||||
- Package cache update
|
||||
|
||||
- name: Install knot resolver
|
||||
ansible.builtin.apt:
|
||||
name: knot-resolver
|
||||
notify:
|
||||
- Enable knot resolver
|
||||
- Restart knot resolver
|
||||
|
||||
- name: Configure
|
||||
ansible.builtin.template:
|
||||
src: kresd.conf.j2
|
||||
dest: /etc/knot-resolver/kresd.conf
|
||||
mode: "0644"
|
||||
notify:
|
||||
- Restart knot resolver
|
26
ansible/roles/authentik/templates/kresd.conf.j2
Normal file
26
ansible/roles/authentik/templates/kresd.conf.j2
Normal file
|
@ -0,0 +1,26 @@
|
|||
net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
|
||||
cache.size = 128 * MB
|
||||
modules = {
|
||||
'hints > iterate', -- Allow loading /etc/hosts or custom root hints
|
||||
'predict', -- Prefetch expiring/frequent records
|
||||
}
|
||||
|
||||
modules.load('prefill')
|
||||
prefill.config({
|
||||
['.'] = {
|
||||
url = 'https://www.internic.net/domain/root.zone',
|
||||
interval = 86400, -- seconds
|
||||
}
|
||||
})
|
||||
|
||||
modules.load('view')
|
||||
view:addr('127.0.0.0/8', policy.all(policy.PASS))
|
||||
view:addr('::1/128', policy.all(policy.PASS))
|
||||
{% for prefix in kresd_allow %}
|
||||
view:addr('{{ prefix }}', policy.all(policy.PASS))
|
||||
{% endfor %}
|
||||
view:addr('0.0.0.0/0', policy.all(policy.DROP))
|
||||
view:addr('::/0', policy.all(policy.DROP))
|
||||
|
||||
log_target('stdout')
|
||||
log_level('debug')
|
|
@ -2,7 +2,7 @@
|
|||
enabled = true
|
||||
bantime = -1
|
||||
maxretry = 3
|
||||
backend = systemd
|
||||
{% if ansible_facts['os_family'] == "RedHat" %}
|
||||
backend = systemd
|
||||
banaction = firewallcmd-ipset
|
||||
{% endif %}
|
|
@ -19,12 +19,3 @@
|
|||
mode: "0644"
|
||||
notify:
|
||||
- Restart knot resolver
|
||||
|
||||
- name: Allow port 53 (DNS)
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "{{ item.port }}"
|
||||
proto: "{{ item.proto }}"
|
||||
with_items:
|
||||
- { port: "53", proto: "tcp" }
|
||||
- { port: "53", proto: "udp" }
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
- name: Install UFW
|
||||
ansible.builtin.apt:
|
||||
name: ufw
|
||||
|
||||
- name: Allow 22/tcp (SSH)
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
port: "22"
|
||||
proto: tcp
|
||||
|
||||
- name: Enable UFW
|
||||
community.general.ufw:
|
||||
state: enabled
|
Loading…
Reference in a new issue