From 866005c055b29705d7df59d0c53acf27df2531e4 Mon Sep 17 00:00:00 2001 From: bitwhisker Date: Sun, 24 May 2026 04:01:11 +0200 Subject: [PATCH] rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1 - create unbound role - create kea_dhcp role - configure unbound and keadhcp on rt1(z9 host) --- inventories/z9/host_vars/rt1.yaml | 1 + inventories/z9/hosts.yaml | 7 + playbooks/deploy.yaml | 14 + resources/z9/rt1/kea_dhcp.yaml | 293 ++++++++++++++++++ resources/z9/rt1/nftables/nftables.conf | 3 + roles/kea_dhcp/defaults/main.yaml | 69 +++++ roles/kea_dhcp/handlers/main.yml | 30 ++ roles/kea_dhcp/meta/argument_specs.yaml | 125 ++++++++ roles/kea_dhcp/tasks/install_archlinux.yml | 8 + roles/kea_dhcp/tasks/install_debian.yml | 22 ++ roles/kea_dhcp/tasks/kea.yaml | 51 +++ roles/kea_dhcp/tasks/main.yml | 19 ++ roles/kea_dhcp/tasks/stork-agent.yaml | 76 +++++ .../kea_dhcp/templates/kea-ctrl-agent.conf.j2 | 20 ++ roles/kea_dhcp/templates/kea-dhcp4.conf.jinja | 27 ++ roles/kea_dhcp/templates/kea-dhcp6.conf.jinja | 27 ++ .../kea_dhcp/templates/stork-agent.env.jinja | 44 +++ roles/unbound/README.md | 19 ++ roles/unbound/defaults/main.yml | 7 + roles/unbound/files/no-resolved.resolv.conf | 1 + roles/unbound/handlers/main.yml | 27 ++ roles/unbound/tasks/main.yml | 63 ++++ roles/unbound/tasks/prometheus-exporter.yml | 17 + roles/unbound/templates/unbound.conf.j2 | 73 +++++ 24 files changed, 1043 insertions(+) create mode 100644 resources/z9/rt1/kea_dhcp.yaml create mode 100644 roles/kea_dhcp/defaults/main.yaml create mode 100644 roles/kea_dhcp/handlers/main.yml create mode 100644 roles/kea_dhcp/meta/argument_specs.yaml create mode 100644 roles/kea_dhcp/tasks/install_archlinux.yml create mode 100644 roles/kea_dhcp/tasks/install_debian.yml create mode 100644 roles/kea_dhcp/tasks/kea.yaml create mode 100644 roles/kea_dhcp/tasks/main.yml create mode 100644 roles/kea_dhcp/tasks/stork-agent.yaml create mode 100644 roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 create mode 100644 roles/kea_dhcp/templates/kea-dhcp4.conf.jinja create mode 100644 roles/kea_dhcp/templates/kea-dhcp6.conf.jinja create mode 100644 roles/kea_dhcp/templates/stork-agent.env.jinja create mode 100644 roles/unbound/README.md create mode 100644 roles/unbound/defaults/main.yml create mode 100644 roles/unbound/files/no-resolved.resolv.conf create mode 100644 roles/unbound/handlers/main.yml create mode 100644 roles/unbound/tasks/main.yml create mode 100644 roles/unbound/tasks/prometheus-exporter.yml create mode 100644 roles/unbound/templates/unbound.conf.j2 diff --git a/inventories/z9/host_vars/rt1.yaml b/inventories/z9/host_vars/rt1.yaml index 218f4c4..876776a 100644 --- a/inventories/z9/host_vars/rt1.yaml +++ b/inventories/z9/host_vars/rt1.yaml @@ -4,3 +4,4 @@ nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/ ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_randomized_delay_sec: 0min unbound_access_control: [ "10.89.208.0/20" ] +kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml diff --git a/inventories/z9/hosts.yaml b/inventories/z9/hosts.yaml index d4c4ff4..407aa2f 100644 --- a/inventories/z9/hosts.yaml +++ b/inventories/z9/hosts.yaml @@ -56,11 +56,18 @@ systemd_networkd_hosts: nftables_hosts: hosts: rt1: +unbound_hosts: + hosts: + rt1: +kea_dhcp_hosts: + hosts: + rt1: alloy_hosts: hosts: light: yate: dooris: + rt1: ansible_pull_hosts: hosts: dooris: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index b7ce104..54d4098 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -27,6 +27,20 @@ tags: - nftables +- name: Ensure unbound deployment on unbound_hosts + hosts: unbound_hosts + roles: + - unbound + tags: + - unbound + +- name: Ensure kea_dhcp deployment on kea_dhcp_hosts + hosts: kea_dhcp_hosts + roles: + - kea_dhcp + tags: + - kea_dhcp + - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: diff --git a/resources/z9/rt1/kea_dhcp.yaml b/resources/z9/rt1/kea_dhcp.yaml new file mode 100644 index 0000000..d191881 --- /dev/null +++ b/resources/z9/rt1/kea_dhcp.yaml @@ -0,0 +1,293 @@ +kea_dhcp__dns_servers: + v4: + - 185.161.129.134 + v6: + - 2a07:c481::1:2 + +kea_dhcp__dhcp4: + enable: true + interfaces: [ "netlan.51", "netlan.52", "netlan.54" ] + control-sockets: + - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "domain-name-servers" + code: 6 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}" + subnets: + - id: 1 + subnet: 10.89.208.0/22 + pools: + - pool: "10.89.208.32 - 10.89.211.250" + reservations: + - ip-address: 10.89.208.11 + hostname: beamer + hw-address: "ac:87:a3:18:9e:01" + - ip-address: 10.89.208.12 + hostname: Brother-CCCHH + hw-address: "00:80:77:04:3a:55" + - ip-address: 10.89.208.13 + hostname: muzak + hw-address: "00:11:24:5f:4f:80" + - ip-address: 10.89.208.14 + hostname: Big-Room-Beamer + hw-address: "64:d2:c4:db:08:5c" + - ip-address: 10.89.208.16 + hostname: dooris + hw-address: "bc:24:11:b3:93:9c" + - ip-address: 10.89.208.17 + hostname: hmdooris-ccu + hw-address: "bc:24:11:5f:2d:b1" + - ip-address: 10.89.208.27 + hostname: cisco-slm248p + hw-address: "00:23:eb:b0:fc:3f" + - ip-address: 10.89.208.47 + hw-address: "6c:df:fb:0b:34:21" + - ip-address: 10.89.208.48 + hw-address: "6c:df:fb:0d:91:63" + - ip-address: 10.89.209.28 + hostname: hp-color + hw-address: "3c:52:82:29:21:79" + - ip-address: 10.89.209.29 + hostname: dooris-ng + hw-address: "6c:4b:90:19:21:a1" + - ip-address: 10.89.209.166 + hostname: encoder-ccchh + hw-address: "00:4e:01:a2:40:d7" + - ip-address: 10.89.209.254 + hostname: ki10 + hw-address: "dc:a6:32:a9:ff:82" + option-data: + - name: routers, + csv-format: true + data: 10.89.208.1 + - id: 2 + subnet: 10.89.212.0/24 + pools: + - pool: "10.89.212.32 - 10.89.212.250" + reservations: + - ip-address: 10.89.212.3 + hostname: prusamk3 + hw-address: "10:9c:70:2e:59:3e" + - ip-address: 10.89.212.4 + hostname: prusamk4 + hw-address: "10:9c:70:2e:6e:f0" + - ip-address: 10.89.212.11 + hostname: Ziggy + hw-address: "44:17:93:53:65:57" + - ip-address: 10.89.212.12 + hostname: legacy + hw-address: "00:15:65:a1:ed:98" + - ip-address: 10.89.212.23 + hostname: foobarpay + hw-address: "f4:f2:6d:09:a6:73" + - ip-address: 10.89.212.24 + hostname: foobackup + hw-address: "bc:24:11:20:1a:a8" + - ip-address: 10.89.212.27 + hostname: ender3v2-sonic-pad + hw-address: "fc:ee:91:00:0e:14" + - ip-address: 10.89.212.31 + hostname: octopi + hw-address: "b8:27:eb:0f:d8:09" + - ip-address: 10.89.212.32 + hostname: 433mhz-bridge + hw-address: "0c:b8:15:fe:e3:34" + - ip-address: 10.89.212.33 + hostname: wled-kueche + hw-address: "30:ae:a4:7a:8d:a0" + - ip-address: 10.89.212.34 + hostname: wled-serverschrank + hw-address: "18:fe:34:a6:64:76" + - ip-address: 10.89.212.35 + hostname: wled-couch + hw-address: "64:b7:08:40:ab:c0" + - ip-address: 10.89.212.36 + hostname: laser + hw-address: "b8:27:eb:be:38:fa" + - ip-address: 10.89.212.37 + hostname: laser-eth + hw-address: "b8:27:eb:eb:6d:af" + - ip-address: 10.89.212.42 + hostname: t-mix + hw-address: "40:a5:ef:d9:eb:93" + - ip-address: 10.89.212.86 + hostname: fritz-fon + hw-address: "00:1f:3f:c9:e5:b2" + - ip-address: 10.89.212.211 + hostname: hauptraum-esphome + hw-address: "e8:db:84:e8:18:d2" + - ip-address: 10.89.212.212 + hostname: werkstatt-esphome + hw-address: "3c:71:bf:26:42:32" + - ip-address: 10.89.212.213 + hostname: ir-bridge-beamer + hw-address: "8c:ce:4e:51:93:dd" + - ip-address: 10.89.212.215 + hostname: pi-dmx-werkstatt + hw-address: "b8:27:eb:65:e5:31" + - ip-address: 10.89.212.227 + hostname: SIP-T46S + hw-address: "80:5e:c0:09:bf:55" + - ip-address: 10.89.212.230 + hostname: SIP-T46S + hw-address: "80:5e:c0:22:33:08" + - ip-address: 10.89.212.232 + hostname: staubi + hw-address: "b8:4d:43:98:51:2b" + - ip-address: 10.89.212.233 + hostname: staubiv2 + hw-address: "70:c9:32:82:25:b2" + - ip-address: 10.89.212.234 + hostname: AtemMini + hw-address: "7c:2e:0d:13:72:a8" + - ip-address: 10.89.212.235 + hostname: okilaser + hw-address: "2c:ff:65:22:b4:63" + - ip-address: 10.89.212.236 + hw-address: "b8:27:eb:29:bd:77" + option-data: + - name: routers, + csv-format: true + data: 10.89.212.1 + - id: 3 + subnet: 10.89.213.0/24 + pools: + - pool: "10.89.213.32 - 10.89.213.250" + reservations: + - ip-address: 10.89.213.2 + hostname: sw-rack-1 + hw-address: "F0:9F:C2:10:C3:AA" + - ip-address: 10.89.213.3 + hostname: sw-rack-2-peo + hw-address: "44:d9:e7:06:69:5d" + - ip-address: 10.89.213.4 + hostname: sw-main-1 + hw-address: "a8:9c:6c:16:df:cc" + - ip-address: 10.89.213.5 + hostname: sw-main-2 + hw-address: "a8:9c:6c:16:e8:86" + - ip-address: 10.89.213.6 + hostname: sw-shop-1 + hw-address: "C0:4A:00:FB:DA:C5" + - ip-address: 10.89.213.7 + hostname: sw-shop-2-peo + hw-address: "f4:e2:c6:bf:20:ee" + - ip-address: 10.89.213.8 + hostname: sw-shop-3-peo + hw-address: "d8:b3:70:85:72:76" + - ip-address: 10.89.213.11 + hostname: pve01 + hw-address: "38:05:25:30:80:35" + - ip-address: 10.89.213.12 + hostname: pve02 + hw-address: "b8:85:84:b1:57:b6" + - ip-address: 10.89.213.13 + hostname: pve03 + hw-address: "98:fa:9b:a2:ed:e8" + - ip-address: 10.89.213.15 + hostname: pbs + hw-address: "BC:24:11:D6:2C:81" + - ip-address: 10.89.213.21 + hostname: unifi + hw-address: "BC:24:11:25:77:60" + - ip-address: 10.89.213.22 + hostname: club-assistant + hw-address: "7a:55:61:c3:a2:89" + - ip-address: 10.89.213.23 + hostname: automation + hw-address: "f2:20:75:5a:2f:8c" + - ip-address: 10.89.213.24 + hostname: yate + hw-address: "bc:24:11:73:3e:f7" + - ip-address: 10.89.213.25 + hostname: ptouch-print-server + hw-address: "bc:24:11:f2:cf:8f" + - ip-address: 10.89.213.26 + hostname: mqtt + hw-address: "bc:24:11:48:85:73" + - ip-address: 10.89.213.27 + hostname: factorio + hw-address: "bc:24:11:a3:43:7f" + - ip-address: 10.89.213.28 + hostname: light + hw-address: "72:61:ea:e6:49:e3" + - ip-address: 10.89.213.29 + hostname: homematic + hw-address: "fe:3a:42:77:3a:be" + - ip-address: 10.89.213.30 + hostname: proxmox-backup-server + hw-address: "8a:48:dd:a3:22:40" + option-data: + - name: routers, + csv-format: true + data: 10.89.213.1 + +kea_dhcp__dhcp6: + enable: true + interfaces: [ "netlan.51", "netlan.52", "netlan.54" ] + control-sockets: + - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "dns-servers" + code: 23 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}" + subnets: + - id: 1 + subnet: "2a07:c481:1:33::/64" + pools: + - pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF" + - id: 2 + subnet: "2a07:c481:1:34::/64" + pools: + - pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF" + - id: 3 + subnet: "2a07:c481:1:36::/64" + pools: + - pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF" + reservations: + - ip-address: "2a07:c481:1:36::2" + hostname: sw-rack-1 + hw-address: "F0:9F:C2:10:C3:AA" + - ip-address: "2a07:c481:1:36::3" + hostname: sw-rack-2-peo + hw-address: "44:d9:e7:06:69:5d" + - ip-address: "2a07:c481:1:36::4" + hostname: sw-main-1 + hw-address: "a8:9c:6c:16:df:cc" + - ip-address: "2a07:c481:1:36::5" + hostname: sw-main-2 + hw-address: "a8:9c:6c:16:e8:86" + - ip-address: "2a07:c481:1:36::6" + hostname: sw-shop-1 + hw-address: "C0:4A:00:FB:DA:C5" + - ip-address: "2a07:c481:1:36::7" + hostname: sw-shop-2-peo + hw-address: "f4:e2:c6:bf:20:ee" + - ip-address: "2a07:c481:1:36::8" + hostname: sw-shop-3-peo + hw-address: "d8:b3:70:85:72:76" + - ip-address: "2a07:c481:1:36::b" + hostname: pve01 + hw-address: "38:05:25:30:80:35" + - ip-address: "2a07:c481:1:36::c" + hostname: pve02 + hw-address: "b8:85:84:b1:57:b6" + - ip-address: "2a07:c481:1:36::d" + hostname: pve03 + hw-address: "98:fa:9b:a2:ed:e8" + - ip-address: "2a07:c481:1:36::f" + hostname: pbs + hw-address: "BC:24:11:D6:2C:81" + - ip-address: "2a07:c481:1:36::14" + hostname: unifi + hw-address: "BC:24:11:25:77:60" diff --git a/resources/z9/rt1/nftables/nftables.conf b/resources/z9/rt1/nftables/nftables.conf index 21bfbd1..842ca04 100644 --- a/resources/z9/rt1/nftables/nftables.conf +++ b/resources/z9/rt1/nftables/nftables.conf @@ -76,6 +76,9 @@ table inet host { # Allow DHCP server access. iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access" + + # Allow DNS server access from lan_ifs + iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs" } } diff --git a/roles/kea_dhcp/defaults/main.yaml b/roles/kea_dhcp/defaults/main.yaml new file mode 100644 index 0000000..409f0a1 --- /dev/null +++ b/roles/kea_dhcp/defaults/main.yaml @@ -0,0 +1,69 @@ +kea_dhcp__stork_agent: + enable: false + prometheus_only: true +kea_dhcp__version_repo: "kea-3-0" +kea_dhcp__dns_servers: + v6: + - "2a07:c481:0:4::2" + - "2a07:c481:0:4::3" + v4: + - "185.161.128.66" + - "185.161.128.67" +kea_dhcp__include_vars: + +kea_dhcp__dhcp4: + enable: false + interfaces: [ ] + control-sockets: + - socket-name: /var/run/kea-dhcp4-ctrl-agent.sock + socket-type: unix + lease-database: + type: memfile + persist: true + option-data: + - name: "domain-name-servers" + code: 6 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}" + subnets: + - id: 0 + subnet: nil + pools: + - pool: nil + reservations: + - ip-address: nil + hostname: beispiel.test + hw-address: "00:11:22:33:44:55" + option-data: + - name: nil, + code: nil, + csv-format: true + data: nil +kea_dhcp__dhcp6: + enable: false + interfaces: [ ] + lease-database: + type: memfile + persist: true + control-sockets: + - socket-name: /var/run/kea-dhcp6-ctrl-agent.sock + socket-type: unix + option-data: + - name: "dns-servers" + code: 23 + csv-format: true + data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}" + subnets: + - id: 0 + subnet: nil + pools: + - pool: nil + reservations: + - ip-address: nil + hostname: beispiel.test + hw-address: "00:11:22:33:44:55" + option-data: + - name: nil, + code: nil, + csv-format: true + data: nil diff --git a/roles/kea_dhcp/handlers/main.yml b/roles/kea_dhcp/handlers/main.yml new file mode 100644 index 0000000..5b44d6e --- /dev/null +++ b/roles/kea_dhcp/handlers/main.yml @@ -0,0 +1,30 @@ +--- +- name: Systemd.daemon_reload + become: true + ansible.builtin.systemd_service: + daemon_reload: true + +- name: Kea_dhcp4.reloaded + ansible.builtin.service: + name: kea-dhcp4 + state: restarted + enabled: true + +- name: Kea_dhcp6.reloaded + ansible.builtin.service: + name: kea-dhcp6 + state: restarted + enabled: true + +- name: Kea_ctrl.reloaded + ansible.builtin.systemd: + name: kea-ctrl-agent + state: restarted + enabled: true + +- name: Stork_agent.restarted + become: true + ansible.builtin.systemd: + name: isc-stork-agent + state: restarted + enabled: true diff --git a/roles/kea_dhcp/meta/argument_specs.yaml b/roles/kea_dhcp/meta/argument_specs.yaml new file mode 100644 index 0000000..995b838 --- /dev/null +++ b/roles/kea_dhcp/meta/argument_specs.yaml @@ -0,0 +1,125 @@ +--- +argument_specs: + main: + short_description: "Role for managing Kea DHCP server" + options: + kea_dhcp__stork_agent: + type: "dict" + description: "Configuration for Stork Agent" + options: + enable: + type: "bool" + default: false + prometheus_only: + type: "bool" + default: true + kea_dhcp__version_repo: + type: "str" + description: "Version of Kea DHCP repository to use" + default: "kea-3-0" + kea_dhcp__dns_servers: + type: "dict" + description: "Default DNS servers for DHCP clients" + options: + v6: + type: "list" + elements: "str" + v4: + type: "list" + elements: "str" + kea_dhcp__dhcp4: + type: "dict" + description: "Configuration for DHCPv4 service" + options: + enable: + type: "bool" + default: false + interfaces: + type: "list" + elements: "str" + default: [] + control-sockets: + type: "list" + elements: "dict" + lease-database: + type: "dict" + option-data: + type: "list" + elements: "dict" + subnets: + type: "list" + elements: "dict" + options: + id: + type: "int" + subnet: + type: "str" + pools: + type: "list" + elements: "dict" + options: + pool: + type: "str" + reservations: + type: "list" + elements: "dict" + options: + ip-address: + type: "str" + hostname: + type: "str" + hw-address: + type: "str" + duid: + type: "str" + option-data: + type: "list" + elements: "dict" + kea_dhcp__dhcp6: + type: "dict" + description: "Configuration for DHCPv6 service" + options: + enable: + type: "bool" + default: false + interfaces: + type: "list" + elements: "str" + default: [] + control-sockets: + type: "list" + elements: "dict" + lease-database: + type: "dict" + option-data: + type: "list" + elements: "dict" + subnets: + type: "list" + elements: "dict" + options: + id: + type: "int" + subnet: + type: "str" + pools: + type: "list" + elements: "dict" + options: + pool: + type: "str" + reservations: + type: "list" + elements: "dict" + options: + ip-address: + type: "str" + hostname: + type: "str" + hw-address: + type: "str" + duid: + type: "str" + option-data: + type: "list" + elements: "dict" diff --git a/roles/kea_dhcp/tasks/install_archlinux.yml b/roles/kea_dhcp/tasks/install_archlinux.yml new file mode 100644 index 0000000..7bdb140 --- /dev/null +++ b/roles/kea_dhcp/tasks/install_archlinux.yml @@ -0,0 +1,8 @@ +--- +- name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + become: true + community.general.pacman: + name: kea + state: present + update_cache: false diff --git a/roles/kea_dhcp/tasks/install_debian.yml b/roles/kea_dhcp/tasks/install_debian.yml new file mode 100644 index 0000000..2ac2346 --- /dev/null +++ b/roles/kea_dhcp/tasks/install_debian.yml @@ -0,0 +1,22 @@ +--- +- name: Register isc-kea apt repository + become: true + register: kea_dhcp_repo + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.deb822_repository: + name: "isc-{{ kea_dhcp__version_repo }}" + uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian" + suites: any-version + components: main + signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key" + +- name: Install Kea packages + become: true + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.apt: + name: + - isc-kea-dhcp4 + - isc-kea-dhcp6 + - isc-kea-ctrl-agent + - isc-kea-admin + update_cache: "{{ kea_dhcp_install_repo.changed }}" diff --git a/roles/kea_dhcp/tasks/kea.yaml b/roles/kea_dhcp/tasks/kea.yaml new file mode 100644 index 0000000..a4fd3b5 --- /dev/null +++ b/roles/kea_dhcp/tasks/kea.yaml @@ -0,0 +1,51 @@ +--- +- name: Include config vars + tags: [ kea, include_vars ] + when: kea_dhcp__include_vars is not None + ansible.builtin.include_vars: + file: "{{ kea_dhcp__include_vars }}" + +- name: Deploy kea-dhcp4 configuration file + tags: [ kea, dhcp4 ] + become: true + when: kea_dhcp__dhcp4.enable + ansible.builtin.template: + src: kea-dhcp4.conf.jinja + dest: /etc/kea/kea-dhcp4.conf + backup: true + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-dhcp4 -T %s + notify: + - Kea_dhcp4.reloaded + +- name: Deploy kea-dhcp6 configuration file + tags: [ kea, dhcp6 ] + become: true + when: kea_dhcp__dhcp6.enable + ansible.builtin.template: + src: kea-dhcp6.conf.jinja + dest: /etc/kea/kea-dhcp6.conf + backup: true + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-dhcp6 -T %s + notify: + - Kea_dhcp6.reloaded + +- name: Copy kea-ctrl-agent configuration file + tags: [ kea, ctrl-agent ] + become: true + when: kea_dhcp__stork_agent.enable + ansible.builtin.template: + src: kea-ctrl-agent.conf.j2 + dest: /etc/kea/kea-ctrl-agent.conf + owner: root + group: kea + mode: "u=rw,g=r,o=" + validate: kea-ctrl-agent -t %s + notify: + - Kea_ctrl.reloaded + - Stork_agent.restarted diff --git a/roles/kea_dhcp/tasks/main.yml b/roles/kea_dhcp/tasks/main.yml new file mode 100644 index 0000000..a3478fa --- /dev/null +++ b/roles/kea_dhcp/tasks/main.yml @@ -0,0 +1,19 @@ +--- +- name: Setup Kea DHCP + tags: [kea, dhcp] + block: + - name: Install Kea on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + ansible.builtin.import_tasks: install_archlinux.yml + + - name: Install Kea on Debian + when: ansible_facts['distribution'] == "Debian" + ansible.builtin.import_tasks: install_debian.yml + + - name: Configure Kea + ansible.builtin.include_tasks: kea.yaml + +- name: Run stork-agent tasks + tags: [stork-agent, monitoring] + when: kea_dhcp__stork_agent.enable + ansible.builtin.include_tasks: stork-agent.yaml diff --git a/roles/kea_dhcp/tasks/stork-agent.yaml b/roles/kea_dhcp/tasks/stork-agent.yaml new file mode 100644 index 0000000..916760c --- /dev/null +++ b/roles/kea_dhcp/tasks/stork-agent.yaml @@ -0,0 +1,76 @@ +--- +- name: Install stork-agent + tags: [stork-agent] + block: + - name: Install stork-agent on Archlinux + when: ansible_facts['distribution'] == "Archlinux" + tags: [stork-agent, archlinux] + block: + - name: Create stork-agent user + ansible.builtin.user: + name: stork-agent + create_home: false + home: "/var/lib/stork-agent" + shell: "/usr/bin/nologin" + system: true + groups: ["kea"] + append: true + + - name: Install stork-agent with aur_pkg_install + ansible.builtin.include_role: + name: aur_pkg_install + vars: + aur_pkg_install__pkg_name: "stork-agent" + aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git" + aur_pkg_install__git_ref: "bf96e34" + + - name: Install stork-agent on Debian + when: ansible_facts['distribution'] == "Debian" + tags: [stork-agent, debian] + block: + - name: Register isc-stork apt repository + become: true + register: "kea_dhcp_install_repo" + ansible.builtin.deb822_repository: + name: isc-stork + uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian + suites: any-version + components: main + signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key + + - name: Install isc-stork-agent + become: true + ansible.builtin.apt: + name: isc-stork-agent + update_cache: "{{ kea_dhcp_install_repo.changed }}" + + - name: Add stork-agent user to _kea group on Debian + when: ansible_facts['distribution'] == "Debian" + become: true + ansible.builtin.user: + name: stork-agent + groups: ["_kea"] + append: true + + - name: Config for stork-agent + ansible.builtin.template: + src: stork-agent.env.jinja + dest: /etc/stork/agent.env + owner: root + group: root + mode: "0660" + notify: + - Systemd_daemon_reload + - Stork_agent.restarted + + - name: Flush handlers + ansible.builtin.meta: flush_handlers + + - name: Ensure that stork kea exporter is working + ansible.builtin.uri: + url: "http://localhost:9547/metrics" + method: GET + register: kea_dhcp_stork_status_code + retries: 6 + delay: 5 + until: kea_dhcp_stork_status_code.status == 200 diff --git a/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 b/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 new file mode 100644 index 0000000..5ac1473 --- /dev/null +++ b/roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 @@ -0,0 +1,20 @@ +{ +"Control-agent": { + "http-host": "127.0.0.1", + "http-port": 8000, + "control-sockets": { + {% if kea_dhcp__dhcp4.enable | default(false) %} + "dhcp4": { + "socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}", + "socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}" + }{% if kea_dhcp__dhcp6.enable %},{% endif %} + {% endif %} + {% if kea_dhcp__dhcp6.enable | default(false) %} + "dhcp6": { + "socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}", + "socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}" + }, + {% endif %} + } +} +} diff --git a/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja new file mode 100644 index 0000000..78f06ae --- /dev/null +++ b/roles/kea_dhcp/templates/kea-dhcp4.conf.jinja @@ -0,0 +1,27 @@ +{ + "Dhcp4": { + "interfaces-config": { + "interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }} + }, + "control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %} + "option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }}, + {% endif %} + "subnet4": [ + {% for subnet in kea_dhcp__dhcp4.subnets %} + { + "id": {{ subnet.id }}, + "subnet": "{{ subnet.subnet }}", + "pools": {{ subnet.pools | to_nice_json }}, + {% if subnet.reservations is defined and subnet.reservations %} + "reservations": {{ subnet.reservations | to_nice_json }}, + {% endif %} + {% if subnet['option-data'] is defined and subnet['option-data'] %} + "option-data": {{ subnet['option-data'] | to_nice_json }} + {% endif %} + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + } +} diff --git a/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja b/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja new file mode 100644 index 0000000..da1929a --- /dev/null +++ b/roles/kea_dhcp/templates/kea-dhcp6.conf.jinja @@ -0,0 +1,27 @@ +{ + "Dhcp6": { + "interfaces-config": { + "interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }} + }, + "control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }}, + "lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }}, + {% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %} + "option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }}, + {% endif %} + "subnet6": [ + {% for subnet in kea_dhcp__dhcp6.subnets %} + { + "id": {{ subnet.id }}, + "subnet": "{{ subnet.subnet }}", + "pools": {{ subnet.pools | to_nice_json }}, + {% if subnet.reservations is defined and subnet.reservations %} + "reservations": {{ subnet.reservations | to_nice_json }}, + {% endif %} + {% if subnet['option-data'] is defined and subnet['option-data'] %} + "option-data": {{ subnet['option-data'] | to_nice_json }} + {% endif %} + }{% if not loop.last %},{% endif %} + {% endfor %} + ] + } +} diff --git a/roles/kea_dhcp/templates/stork-agent.env.jinja b/roles/kea_dhcp/templates/stork-agent.env.jinja new file mode 100644 index 0000000..bdfa4d2 --- /dev/null +++ b/roles/kea_dhcp/templates/stork-agent.env.jinja @@ -0,0 +1,44 @@ +### the IP or hostname to listen on for incoming Stork server connections +# STORK_AGENT_HOST= + +### the TCP port to listen on for incoming Stork server connections +# STORK_AGENT_PORT=8081 + +### listen for commands from the Stork server only, but not for Prometheus requests +# STORK_AGENT_LISTEN_STORK_ONLY=true + +{% if kea_dhcp__stork_agent.prometheus_only %} +### listen for Prometheus requests only, but not for commands from the Stork server +STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true +{% endif %} + +### settings for exporting stats to Prometheus +### the IP or hostname on which the agent exports Kea statistics to Prometheus +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS= +### the port on which the agent exports Kea statistics to Prometheus +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT= +## enable or disable collecting per-subnet stats from Kea +# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true +### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS= +### the port on which the agent exports BIND 9 statistics to Prometheus +# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT= + +### Stork Server URL used by the agent to send REST commands to the server during agent registration +# STORK_AGENT_SERVER_URL= + +### skip TLS certificate verification when the Stork Agent connects +### to Kea over TLS and Kea uses self-signed certificates +# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true + + +### Logging parameters + +### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR +STORK_LOG_LEVEL=DEBUG +### disable output colorization +# CLICOLOR=false + +### path to the hook directory +# STORK_AGENT_HOOK_DIRECTORY= + diff --git a/roles/unbound/README.md b/roles/unbound/README.md new file mode 100644 index 0000000..806b9d8 --- /dev/null +++ b/roles/unbound/README.md @@ -0,0 +1,19 @@ +# Unbound DNS resolver + +Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/). +It is designed to be fast and lean and incorporates modern features based on open standards. + +- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/) + +## Role Customization + +The following variables can be used to customize this role: + +| Variable | Type | Default | Description | +|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| unbound_install_prometheus_exporter | Boolean | `true` | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format. | +| unbound_bind_interfaces | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries | +| unbound_enable_unbound_control | Boolean | `true` | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured. | +| unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled | +| unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) | +| unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. | diff --git a/roles/unbound/defaults/main.yml b/roles/unbound/defaults/main.yml new file mode 100644 index 0000000..fa6cb24 --- /dev/null +++ b/roles/unbound/defaults/main.yml @@ -0,0 +1,7 @@ +unbound_install_prometheus_exporter: true +unbound_bind_interfaces: [ "0.0.0.0", "::" ] +unbound_disable_systemd_networkd: true +unbound_enable_unbound_control: true +unbound_enable_dnssec: true +unbound_access_control: [ ] +unbound_private_domain: [ ] diff --git a/roles/unbound/files/no-resolved.resolv.conf b/roles/unbound/files/no-resolved.resolv.conf new file mode 100644 index 0000000..bbc8559 --- /dev/null +++ b/roles/unbound/files/no-resolved.resolv.conf @@ -0,0 +1 @@ +nameserver 127.0.0.1 diff --git a/roles/unbound/handlers/main.yml b/roles/unbound/handlers/main.yml new file mode 100644 index 0000000..e1345bf --- /dev/null +++ b/roles/unbound/handlers/main.yml @@ -0,0 +1,27 @@ +- name: unbound.restarted + tags: [ unbound, dns, dns_resolver ] + become: true + ansible.builtin.systemd: + name: unbound.service + state: restarted + +- name: unbound.reloaded + tags: [ unbound, dns, dns_resolver ] + become: true + ansible.builtin.systemd: + name: unbound.service + state: reloaded + +- name: prometheus-unbound-exporter.restarted + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + state: restarted + enabled: true + +- name: prometheus-unbound-exporter.enabled + become: true + ansible.builtin.systemd: + name: prometheus-unbound-exporter.service + enabled: true + daemon_reload: true diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..7ed42cb --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,63 @@ +- name: unbound role main + tags: [ unbound, dns, dns_resolver ] + block: + + - name: install unbound dns resolver + become: true + ansible.builtin.package: + name: unbound + + - name: install extra dns tooling + become: true + ansible.builtin.package: + name: [ bind ] # the bind package includes tools like dig in archlinux + + - name: ensure correct directory permissions + become: true + ansible.builtin.file: + path: /etc/unbound + state: directory + mode: u=rwX,g=rX,o=rX + recurse: true + owner: unbound + group: unbound + + - name: configure unbound dns resolver + become: true + notify: unbound.restarted + ansible.builtin.template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + owner: unbound + group: unbound + mode: u=rw,g=r,o=r + + - name: ensure unbound is running and enabled + become: true + ansible.builtin.systemd: + name: unbound.service + state: started + enabled: true + + - name: disable systemd-resolved + become: true + when: unbound_disable_systemd_networkd + ansible.builtin.systemd: + name: systemd-resolved.service + state: stopped + enabled: false + + - name: configure system resolver to point to local unbound + become: true + when: unbound_disable_systemd_networkd + ansible.builtin.copy: + src: no-resolved.resolv.conf + dest: /etc/resolv.conf + owner: unbound + group: unbound + mode: u=rw,g=r,o=r + + + - name: install and configure prometheus-exporter for unbound + ansible.builtin.import_tasks: prometheus-exporter.yml + when: unbound_install_prometheus_exporter diff --git a/roles/unbound/tasks/prometheus-exporter.yml b/roles/unbound/tasks/prometheus-exporter.yml new file mode 100644 index 0000000..d05b838 --- /dev/null +++ b/roles/unbound/tasks/prometheus-exporter.yml @@ -0,0 +1,17 @@ +--- +- name: install unbound prometheus exporter + become: true + ansible.builtin.package: + name: prometheus-unbound-exporter + notify: prometheus-unbound-exporter.enabled + +- name: configure unbound exporter + become: true + ansible.builtin.copy: + dest: /etc/conf.d/prometheus-unbound-exporter + content: | + UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock" + owner: root + group: root + mode: '0660' + notify: prometheus-unbound-exporter.restarted diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..a1e310e --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,73 @@ +# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html +# unbound.conf(5) man page +server: + {% if unbound_enable_dnssec -%} + # disable chroot because unbound is the only thing running on the VM + # and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file + chroot: "" + + # location of the trust anchor file that enables DNSSEC + # this file is generated by the `unbound-anchor` command + auto-trust-anchor-file: "/etc/unbound/trusted-key.key" + {% endif -%} + + # use all CPUs + num-threads: 2 + + # more cache memory + rrset-cache-size: 60m + msg-cache-size: 30m + + # prefetch to keep the cache up to date + prefetch: yes + + # fetch the DNSKEYs earlier in the validation process, when a DS record is encountered + prefetch-key: yes + + # Faster UDP with multithreading (only on Linux). + so-reuseport: yes + + # disable special large send buffer handling and just use kernel defaults + so-sndbuf: 0 + + # send minimal amount of information to upstream servers to enhance privacy + qname-minimisation: yes + + # specify the interface to answer queries from by ip-address. + {% for i in unbound_bind_interfaces -%} + interface: "{{ i }}" + {% endfor %} + + # addresses from the IP range that are allowed to connect to the resolver + {% for i in unbound_access_control -%} + access-control: {{ i }} + {% endfor -%} + + {% for i in unbound_private_domain -%} + private-domain: {{ i }} + {% endfor -%} + + # The number of seconds between printing statistics to the log for every thread. + statistics-interval: 0 + + # Extended statistics are printed, Keeping track of more statistics takes time. + extended-statistics: yes + +remote-control: + control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }} + control-interface: /run/unbound-control.sock + + +# configure some zones for which this resolver will act authoritatively +# https://www.dns.icann.org/services/axfr/ +{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %} +auth-zone: + name: "{{ i }}" + primary: "lax.xfr.dns.icann.org" + primary: "iad.xfr.dns.icann.org" + fallback-enabled: yes + for-downstream: no + for-upstream: yes + + +{% endfor %}