wip

ansible/deploy.yml

@@ -12,7 +12,7 @@
     - role: timesyncd
       when: ansible_facts['os_family'] == "Debian"
     - role: ufw
-      when: ansible_facts['os_family'] == "Debian"
+      when: ansible_facts['os_family'] == "Ubuntu"
 
 - name: Resolver
   hosts: resolver

ansible/hosts.yml

@@ -1,19 +1,28 @@
+<<<<<<< HEAD
 ---
+=======
+>>>>>>> 2410885 (Add knot roles)
 all:
   hosts:
     resolver-1:
       ansible_host: 10.20.0.42
+<<<<<<< HEAD
     dhcp-1:
       ansible_host: 10.20.0.43
     authoritative-1:
       ansible_host: 10.20.0.44
+=======
+>>>>>>> 2410885 (Add knot roles)
   children:
     resolver:
       hosts:
         resolver-1:
+<<<<<<< HEAD
     kea-dhcp:
       hosts:
         dhcp-1:
     dns-authoritative:
       hosts:
         authoritative-1:
+=======
+>>>>>>> 2410885 (Add knot roles)

ansible/roles/authentik/handlers/main.yml

@@ -0,0 +1,19 @@
+---
+- name: Package cache update
+  become: true
+  ansible.builtin.package:
+    update_cache: true
+
+- name: Restart knot resolver
+  become: true
+  ansible.builtin.service:
+    state: restarted
+    name: kresd@{{ item }}.service
+  with_sequence: count={{ ansible_processor_vcpus }}
+
+- name: Enable knot resolver
+  become: true
+  ansible.builtin.service:
+    enabled: true
+    name: kresd@{{ item }}.service
+  with_sequence: count={{ ansible_processor_vcpus }}

ansible/roles/authentik/tasks/build.yml

@@ -0,0 +1,43 @@
+---
+- name: Get authentik source
+  ansible.builtin.git:
+    repo: https://github.com/goauthentik/authentik.git
+    dest: /opt/authentik/src
+    version: version/2024.2.2
+    force: true
+
+- name: Build front
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      export NODE_ENV=production
+      cd /opt/authentik/src/website
+      npm ci --include=dev
+      npm run build-docs-only
+      cd /opt/authentik/src/web
+      npm ci --include=dev
+      npm run build
+
+- name: Build go proxy
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      cd /opt/authentik/src/
+      go mod download
+      CGO_ENABLED=0 go build -o /opt/authentik/server ./cmd/server
+
+- name: Create virtualenv
+  ansible.builtin.command: python3.12 -m venv /opt/authentik/src/venv
+
+- name: Installl poetry and dependencies
+  ansible.builtin.shell:
+    executable: /bin/bash
+    cmd: |
+      cd /opt/authentik/src
+      source /opt/authentik/src/venv/bin/activate
+      export VENV_PATH=/opt/authentik/src/venv
+      export POETRY_VIRTUALENVS_CREATE=false
+      venv/bin/pip3 install --upgrade pip
+      venv/bin/pip3 install poetry
+      venv/bin/poetry venv use venv/python3.12
+      venv/bin/poetry install --only=main --no-ansi --no-interaction --no-root

ansible/roles/authentik/tasks/dependencies.yml

@@ -0,0 +1,63 @@
+---
+- name: Install roles dependencies
+  ansible.builtin.apt:
+    install_recommends: false
+    name: "{{ item }}"
+  with_items:
+    - git
+    - build-essential
+    - pkg-config
+    - zlib1g-dev
+    - libpq-dev
+    - libxmlsec1-dev
+
+- name: Add deadsnake ppa for python3.12
+  ansible.builtin.apt_repository:
+    repo: ppa:deadsnakes/ppa
+
+- name: Install python3.12
+  ansible.builtin.apt:
+    name: "{{ item }}"
+  with_items:
+    - python3.12
+    - python3.12-distutils
+    - python3.12-venv
+    - python3.12-dev
+
+- name: Add longsleep ppa for go 1.22
+  ansible.builtin.apt_repository:
+    repo: ppa:longsleep/golang-backports
+
+- name: Install go 1.22
+  ansible.builtin.apt:
+    name: golang-go
+
+- name: Download node GPG key
+  ansible.builtin.get_url:
+    url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
+    dest: /usr/share/keyrings/node-archive-keyring.asc
+    mode: "0644"
+    validate_certs: true
+    checksum: sha512:36c77b2bddaea0523ab90962a38ebd3ee90c3d5cf17e525f02898aa8e7b14fd1026f6d659b99d931fe907e9142a98ff08075ebfc56f0f1e2001c6ba4791d3daa
+  changed_when: false
+  no_log: false
+
+- name: Add nodesource repo for node
+  ansible.builtin.apt_repository:
+    repo: deb [arch=amd64 signed-by=/usr/share/keyrings/node-archive-keyring.asc] https://deb.nodesource.com/node_21.x nodistro main
+
+- name: Install nodejs
+  ansible.builtin.apt:
+    name: nodejs
+
+- name: Add authentik user
+  ansible.builtin.user:
+    name: authentik
+    system: true
+
+- name: Create /opt/authentik
+  ansible.builtin.file:
+    path: /opt/authentik
+    state: directory
+    mode: "0755"
+    owner: authentik

ansible/roles/authentik/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: Install dependencies
+  ansible.builtin.import_tasks: dependencies.yml
+  become: true
+  tags:
+    - install_dependencies
+
+- name: Build authentik
+  ansible.builtin.import_tasks: build.yml
+  become: true
+  tags:
+    - build
+  become_user: authentik
+
+- name: Create useful directory
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: authentik
+  with_items:
+    - /opt/authentik/certs
+    - /opt/authentik/media
+    - /etc/authentik
+
+- name: Test
+  ansible.builtin.copy:
+    remote_src: true
+    src: /opt/authentik/src/blueprints
+    dest: /opt/authentik/blueprints
+    owner: authentik
+  become: true

ansible/roles/authentik/templates/kresd.conf.j2

@@ -0,0 +1,26 @@
+net.listen('{{resolver_ip}}', 53, { kind = 'dns'})
+cache.size = 128 * MB
+modules = {
+	'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
+	'predict',          -- Prefetch expiring/frequent records
+}
+
+modules.load('prefill')
+prefill.config({
+    ['.'] = {
+        url = 'https://www.internic.net/domain/root.zone',
+        interval = 86400, -- seconds
+    }
+})
+
+modules.load('view')
+view:addr('127.0.0.0/8', policy.all(policy.PASS))
+view:addr('::1/128', policy.all(policy.PASS))
+{% for prefix in kresd_allow %}
+view:addr('{{ prefix }}', policy.all(policy.PASS))
+{% endfor %}
+view:addr('0.0.0.0/0', policy.all(policy.DROP))
+view:addr('::/0', policy.all(policy.DROP))
+
+log_target('stdout')
+log_level('debug')