wip

.gitignore

@@ -0,0 +1 @@
+venv/

ansible/deploy.yml

@@ -10,6 +10,8 @@
     - journald
     - sshd
     - role: timesyncd
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
       when: ansible_facts['os_family'] == "Ubuntu"
 
 - name: Resolver
@@ -17,3 +19,15 @@
   become: true
   roles:
     - knot_resolver
+
+- name: DHCP
+  hosts: kea-dhcp
+  become: true
+  roles:
+    - kea_dhcp
+
+- name: Knot
+  hosts: dns-authoritative
+  become: true
+  roles:
+    - knot

ansible/group_vars/dns-authoritative/all.yml

@@ -0,0 +1,11 @@
+---
+acls:
+  - id: ddns
+    action: update
+    address: 10.20.0.42/32
+
+zones:
+  - domain: lab.r4.pm
+    acl: ddns
+
+listen_ip: 10.20.0.44

ansible/group_vars/kea-dhcp/all.yml

@@ -0,0 +1,19 @@
+---
+domain: r4.pm
+domain_search:
+  - lab.r4.pm
+  - r4.pm
+
+networks:
+  - subnet: 10.15.0.0/24
+    start: 10.15.0.200
+    end: 10.15.0.254
+    routers: 10.15.0.1
+  - subnet: 10.20.0.0/24
+    start: 10.20.0.200
+    end: 10.20.0.254
+    routers: 10.20.0.1
+  - subnet: 10.30.0.0/24
+    start: 10.30.0.200
+    end: 10.30.0.254
+    routers: 10.30.0.1

ansible/group_vars/resolver/all.yml

@@ -2,3 +2,8 @@
 kresd_allow:
   - 10.0.0.0/8
   - 172.16.0.0/12
+
+forward:
+  - zone: lab.r4.pm.
+    address: 10.20.0.44
+    ds: "lab.r4.pm. DS 61454 13 4 c510acc4a85ee8cfd93205b0cdc8d65a9e5376cf45517e5bd7db7fc836d076df688b11cf7f3a3b33a9b1011d74d00e74"

ansible/hosts.yml

@@ -1,8 +1,28 @@
+<<<<<<< HEAD
+---
+=======
+>>>>>>> 2410885 (Add knot roles)
 all:
   hosts:
     resolver-1:
       ansible_host: 10.20.0.42
+<<<<<<< HEAD
+    dhcp-1:
+      ansible_host: 10.20.0.43
+    authoritative-1:
+      ansible_host: 10.20.0.44
+=======
+>>>>>>> 2410885 (Add knot roles)
   children:
     resolver:
       hosts:
         resolver-1:
+<<<<<<< HEAD
+    kea-dhcp:
+      hosts:
+        dhcp-1:
+    dns-authoritative:
+      hosts:
+        authoritative-1:
+=======
+>>>>>>> 2410885 (Add knot roles)

ansible/packer.yml

@@ -10,7 +10,9 @@
     - journald
     - sshd
     - role: timesyncd
-      when: ansible_facts['os_family'] == "Ubuntu"
+      when: ansible_facts['os_family'] == "Debian"
+    - role: ufw
+      when: ansible_facts['os_family'] == "Debian"
   post_tasks:
     - name: Clean cloud-init
       ansible.builtin.command: cloud-init clean

ansible/roles/authentik/tasks/build.yml

@@ -7,26 +7,37 @@
     force: true
 
 - name: Build front
-  ansible.builtin.shell: |
-    cd /opt/authentik/src/website
-    npm i
-    npm run build-docs-only
-    cd /opt/authentik/src/web
-    npm i
-    npm run build
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      export NODE_ENV=production
+      cd /opt/authentik/src/website
+      npm ci --include=dev
+      npm run build-docs-only
+      cd /opt/authentik/src/web
+      npm ci --include=dev
+      npm run build
+
+- name: Build go proxy
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      cd /opt/authentik/src/
+      go mod download
+      CGO_ENABLED=0 go build -o /opt/authentik/server ./cmd/server
 
 - name: Create virtualenv
   ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv
 
 - name: Installl poetry and dependencies
-  ansible.builtin.shell: |
-    cd /opt/authentik/src/
-    venv/bin/pip install poetry
-    venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root
-
-
-- name: Build go proxy
-  ansible.builtin.shell: |-
-    cd /opt/authentik/src/
-    sed -i "s/c.Setup(\".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/c.Setup(\"\/etc\/authentik\/config.yml\", \".\/authentik\/lib\/default.yml\", \".\/local.env.yml\")/" /opt/authentik/src/internal/config/config.go
-    go build -o /opt/authentik/src/authentik-server  ./cmd/server/
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      cd /opt/authentik/src
+      source /opt/authentik/src/venv/bin/activate
+      export VENV_PATH=/opt/authentik/src/venv
+      export POETRY_VIRTUALENVS_CREATE=false
+      venv/bin/pip3 install --upgrade pip
+      venv/bin/pip3 install poetry
+      venv/bin/poetry venv use venv/python3.12
+      venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root

ansible/roles/authentik/tasks/dependencies.yml

@@ -1,9 +1,13 @@
 ---
 - name: Install roles dependencies
   ansible.builtin.apt:
+    install_recommends: false
     name: "{{ item }}"
   with_items:
     - git
+    - build-essential
+    - pkg-config
+    - zlib1g-dev
     - libpq-dev
     - libxmlsec1-dev
 

ansible/roles/authentik/tasks/main.yml

@@ -11,3 +11,22 @@
   tags:
     - build
   become_user: authentik
+
+- name: Create useful directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: authentik
+  with_items:
+    - /opt/authentik/certs
+    - /opt/authentik/media
+    - /etc/authentik
+
+- name: Test
+  ansible.builtin.copy:
+    remote_src: true
+    src: /opt/authentik/src/blueprints
+    dest: /opt/authentik/blueprints
+    owner: authentik
+  become: true

ansible/roles/fail2ban/templates/sshd.conf.j2

@@ -2,7 +2,7 @@
 enabled = true
 bantime = -1
 maxretry = 3
-{% if ansible_facts['os_family'] == "RedHat" %}
 backend = systemd
+{% if ansible_facts['os_family'] == "RedHat" %}
 banaction = firewallcmd-ipset
 {% endif %}

ansible/roles/kea_dhcp/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+- name: Restart isc-kea-dhcp4-server
+  become: true
+  ansible.builtin.service:
+    state: restarted
+    name: isc-kea-dhcp4-server
+
+- name: Enable isc-kea-dhcp4-server
+  ansible.builtin.service:
+    enabled: true
+    name: isc-kea-dhcp4-server

ansible/roles/kea_dhcp/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: Add kea dhcp pgp key
+  ansible.builtin.get_url:
+    url: https://dl.cloudsmith.io/public/isc/kea-2-4/gpg.0D9D9A1439E23DB9.key
+    dest: /usr/share/keyrings/kea-archive-keyring.asc
+    mode: "0644"
+    validate_certs: true
+    checksum: sha512:f58db6baa7f7147c3280275b6f7cc11e34836fb904604d587c1883e6b4a8e89377046809203e2f1a1a87a7f28556728a9ecdb740d62e753592d2dbab0d2e87c8
+  changed_when: false
+  no_log: false
+
+- name: Add kea dhcp repository
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/usr/share/keyrings/kea-archive-keyring.asc]
+     https://dl.cloudsmith.io/public/isc/kea-2-4/deb/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} main"
+    state: present
+    filename: isc-kea-dhcp
+
+- name: Install isc-kea-dhcp
+  ansible.builtin.apt:
+    name: isc-kea-dhcp4-server
+  notify:
+    - Enable isc-kea-dhcp4-server
+
+- name: Configure isc-kea-dhcp
+  ansible.builtin.template:
+    src: kea-dhcp4.conf.j2
+    dest: /etc/kea/kea-dhcp4.conf
+    owner: _kea
+    mode: '0640'
+  notify:
+    - Restart isc-kea-dhcp4-server
+
+- name: Open required ports
+  community.general.ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: udp
+  with_items:
+    - '67'

ansible/roles/kea_dhcp/templates/kea-dhcp4.conf.j2

@@ -0,0 +1,79 @@
+{
+"Dhcp4": {
+    "interfaces-config": {
+        "interfaces": [ "eth0" ],
+    },
+
+    "control-socket": {
+        "socket-type": "unix",
+        "socket-name": "/tmp/kea4-ctrl-socket"
+    },
+
+    "lease-database": {
+        // Memfile is the simplest and easiest backend to use. It's an in-memory
+        // C++ database that stores its state in CSV file.
+        "type": "memfile",
+        "lfc-interval": 3600
+    },
+
+    "expired-leases-processing": {
+        "reclaim-timer-wait-time": 10,
+        "flush-reclaimed-timer-wait-time": 25,
+        "hold-reclaimed-time": 3600,
+        "max-reclaim-leases": 100,
+        "max-reclaim-time": 250,
+        "unwarned-reclaim-cycles": 5
+    },
+
+    "renew-timer": 900,
+    "rebind-timer": 1800,
+    "valid-lifetime": 3600,
+
+    "option-data": [
+        {
+            "name": "domain-name-servers",
+            "data": "{{ resolver_ip }}"
+        },
+        {
+            "code": 15,
+            "data": "{{ domain }}"
+        },
+
+        {
+            "name": "domain-search",
+            "data": "{{ domain_search|join(', ') }}"
+        },
+    ],
+
+    "subnet4": [
+        {% for network in networks %}
+        {
+            "subnet": "{{ network.subnet }}",
+
+            "pools": [ { "pool": "{{ network.start }} - {{ network.end }}" } ],
+
+            "option-data": [
+                {
+                    "name": "routers",
+                    "data": "{{ network.routers }}"
+                }
+            ],
+        }{% if not loop.last %},{% endif %}
+        {% endfor %}
+    ],
+
+    "loggers": [
+    {
+        "name": "kea-dhcp4",
+        "output_options": [
+            {
+                "output": "stdout",
+            }
+        ],
+        "severity": "INFO",
+
+        "debuglevel": 0
+    }
+  ]
+}
+}

ansible/roles/knot/files/zones/lab.r4.pm.zone

@@ -0,0 +1,12 @@
+$ORIGIN lab.r4.pm.
+$TTL 3600
+@   IN  SOA   knot.lab.r4.pm. admin.r4.pm. (
+    2024041800 ; serial number
+    12h        ; refresh
+    15m        ; update retry
+    3w         ; expiry
+    2h         ; minimum
+)
+
+@               86400 IN NS knot.lab.r4.pm.
+knot.lab.r4.pm. 86400 IN A  10.20.0.44

ansible/roles/knot/handlers/main.yml

@@ -0,0 +1,15 @@
+---
+- name: Restart knot
+  ansible.builtin.service:
+    state: restarted
+    name: knot
+
+- name: Reload knot
+  ansible.builtin.service:
+    state: reloaded
+    name: knot
+
+- name: Enable knot
+  ansible.builtin.service:
+    enabled: true
+    name: knot

ansible/roles/knot/tasks/main.yml

@@ -0,0 +1,57 @@
+---
+- name: Add knot pgp key
+  ansible.builtin.get_url:
+    url: https://pkg.labs.nic.cz/gpg
+    dest: /usr/share/keyrings/cznic-labs-pkg.gpg
+    mode: "0644"
+    validate_certs: true
+    checksum: sha512:e78a1404feff1040c86f4a199495e4a2cf82684b8ff22ffc318a9bffa0ddf45136e484bc17e4440660c089e1c186af77008c76fb463434611b1f60709b57ee52
+  changed_when: false
+  no_log: false
+
+- name: Add knot repository
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns {{ ansible_distribution_release }} main"
+    state: present
+    filename: knot-dns
+
+- name: Install knot
+  ansible.builtin.apt:
+    name: knot
+  notify:
+    - Enable knot
+    - Restart knot
+
+- name: Configure knot
+  ansible.builtin.template:
+    src: knot.conf.j2
+    dest: /etc/knot/knot.conf
+    owner: knot
+    mode: '0640'
+  notify: Restart knot
+
+- name: Allow port 53 (DNS)
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  with_items:
+    - { port: "53", proto: tcp }
+    - { port: "53", proto: udp }
+
+- name: Create knot zones directory
+  ansible.builtin.file:
+    path: /var/lib/knot/zones/
+    state: directory
+    mode: '0750'
+    owner: knot
+
+- name: Copy zone
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /var/lib/knot/zones/
+    owner: knot
+    mode: '0640'
+  with_fileglob:
+    - zones/*
+  notify: Reload knot

ansible/roles/knot/templates/knot.conf.j2

@@ -0,0 +1,32 @@
+server:
+    rundir: "/run/knot"
+    user: knot:knot
+    automatic-acl: on
+    listen: [ {{ listen_ip }}@53 ]
+
+log:
+  - target: syslog
+    any: info
+
+database:
+    storage: "/var/lib/knot"
+
+acl:
+{% for acl in acls %}
+  - id: {{ acl.id }}
+    address: {{ acl.address }}
+    action: {{ acl.action }}
+{% endfor %}
+
+template:
+  - id: default
+    storage: "/var/lib/knot/zones"
+    file: "%s.zone"
+    dnssec-signing: on
+    serial-policy: dateserial
+
+zone:
+{% for zone in zones %}
+  - domain: {{ zone.domain }}
+    acl: {{ zone.acl }}
+{% endfor %}

ansible/roles/knot_resolver/tasks/main.yml

@@ -19,3 +19,12 @@
     mode: "0644"
   notify:
     - Restart knot resolver
+
+- name: Allow port 53 (DNS)
+  community.general.ufw:
+    rule: allow
+    port: "{{ item.port }}"
+    proto: "{{ item.proto }}"
+  with_items:
+    - { port: "53", proto: tcp }
+    - { port: "53", proto: udp }

ansible/roles/knot_resolver/templates/kresd.conf.j2

@@ -22,5 +22,9 @@ view:addr('{{ prefix }}', policy.all(policy.PASS))
 view:addr('0.0.0.0/0', policy.all(policy.DROP))
 view:addr('::/0', policy.all(policy.DROP))
 
+{% for zones in forward %}
+policy.add(policy.suffix(policy.FORWARD('{{ zones.address }}'), {todname('{{ zones.zone }}')}))
+trust_anchors.add('{{ zones.ds }}')
+{% endfor %}
 log_target('stdout')
-log_level('debug') 
+log_level('info') 

ansible/roles/ufw/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: Install UFW
+  ansible.builtin.apt:
+    name: ufw
+
+- name: Allow 22/tcp (SSH)
+  community.general.ufw:
+    rule: allow
+    port: "22"
+    proto: tcp
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled

ansible/upgrade.yml

@@ -0,0 +1,16 @@
+---
+- name: Upgreade
+  hosts: all
+  become: true
+  tasks:
+    - name: Ugrade debian based
+      ansible.builtin.apt:
+        update_cache: true
+        upgrade: true
+      when: ansible_facts['os_family'] == "Debian"
+   
+    - name: Upgrade all packages
+      ansible.builtin.dnf:
+        name: "*"
+        state: latest
+      when: ansible_facts['os_family'] == "RedHat"