CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 7 Pull requests 9 Wiki Activity Actions

rt1(z9 host) unbound(role) kea_dhcp(role): create unbound and kea_dhcp role for rt1
Some checks failed
/ Ansible Lint (push) Failing after 2m30s
Details
/ Ansible Lint (pull_request) Failing after 2m27s
Details
/ build (pull_request) Failing after 2m39s
Details

Browse source 
- create unbound role
- create kea_dhcp role
- configure unbound and keadhcp on rt1(z9 host)
This commit is contained in:
bitwhisker 2026-05-24 04:01:11 +02:00
commit 866005c055
Signed by: bitwhisker
SSH key fingerprint: SHA256:KybIk/tusSKao6eLGY+ILlFa1rCrzwx66/acBAcKUqE
24 changed files with 1043 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
inventories/z9/host_vars/rt1.yaml
View file

@ -4,3 +4,4 @@ nftables__config: "{{ lookup('ansible.builtin.file', 'resources/z9/rt1/nftables/
ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin" ansible_pull__timer_on_calendar: "*-*-* 04:00:00 Europe/Berlin"
ansible_pull__timer_randomized_delay_sec: 0min ansible_pull__timer_randomized_delay_sec: 0min
unbound_access_control: [ "10.89.208.0/20" ] unbound_access_control: [ "10.89.208.0/20" ]
kea_dhcp__include_vars: resources/z9/rt1/kea_dhcp.yaml

7
inventories/z9/hosts.yaml
View file

@ -56,11 +56,18 @@ systemd_networkd_hosts:
nftables_hosts: nftables_hosts:
hosts: hosts:
rt1: rt1:
unbound_hosts:
hosts:
rt1:
kea_dhcp_hosts:
hosts:
rt1:
alloy_hosts: alloy_hosts:
hosts: hosts:
light: light:
yate: yate:
dooris: dooris:
rt1:
ansible_pull_hosts: ansible_pull_hosts:
hosts: hosts:
dooris: dooris:

14
playbooks/deploy.yaml
View file

@ -27,6 +27,20 @@
tags: tags:
- nftables - nftables
- name: Ensure unbound deployment on unbound_hosts
hosts: unbound_hosts
roles:
- unbound
tags:
- unbound
- name: Ensure kea_dhcp deployment on kea_dhcp_hosts
hosts: kea_dhcp_hosts
roles:
- kea_dhcp
tags:
- kea_dhcp
- name: Ensure deployment of infrastructure authorized keys - name: Ensure deployment of infrastructure authorized keys
hosts: infrastructure_authorized_keys_hosts hosts: infrastructure_authorized_keys_hosts
roles: roles:

293
resources/z9/rt1/kea_dhcp.yaml Normal file
View file

@ -0,0 +1,293 @@
kea_dhcp__dns_servers:
v4:
- 185.161.129.134
v6:
- 2a07:c481::1:2
kea_dhcp__dhcp4:
enable: true
interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
control-sockets:
- socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "domain-name-servers"
code: 6
csv-format: true
data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
subnets:
- id: 1
subnet: 10.89.208.0/22
pools:
- pool: "10.89.208.32 - 10.89.211.250"
reservations:
- ip-address: 10.89.208.11
hostname: beamer
hw-address: "ac:87:a3:18:9e:01"
- ip-address: 10.89.208.12
hostname: Brother-CCCHH
hw-address: "00:80:77:04:3a:55"
- ip-address: 10.89.208.13
hostname: muzak
hw-address: "00:11:24:5f:4f:80"
- ip-address: 10.89.208.14
hostname: Big-Room-Beamer
hw-address: "64:d2:c4:db:08:5c"
- ip-address: 10.89.208.16
hostname: dooris
hw-address: "bc:24:11:b3:93:9c"
- ip-address: 10.89.208.17
hostname: hmdooris-ccu
hw-address: "bc:24:11:5f:2d:b1"
- ip-address: 10.89.208.27
hostname: cisco-slm248p
hw-address: "00:23:eb:b0:fc:3f"
- ip-address: 10.89.208.47
hw-address: "6c:df:fb:0b:34:21"
- ip-address: 10.89.208.48
hw-address: "6c:df:fb:0d:91:63"
- ip-address: 10.89.209.28
hostname: hp-color
hw-address: "3c:52:82:29:21:79"
- ip-address: 10.89.209.29
hostname: dooris-ng
hw-address: "6c:4b:90:19:21:a1"
- ip-address: 10.89.209.166
hostname: encoder-ccchh
hw-address: "00:4e:01:a2:40:d7"
- ip-address: 10.89.209.254
hostname: ki10
hw-address: "dc:a6:32:a9:ff:82"
option-data:
- name: routers,
csv-format: true
data: 10.89.208.1
- id: 2
subnet: 10.89.212.0/24
pools:
- pool: "10.89.212.32 - 10.89.212.250"
reservations:
- ip-address: 10.89.212.3
hostname: prusamk3
hw-address: "10:9c:70:2e:59:3e"
- ip-address: 10.89.212.4
hostname: prusamk4
hw-address: "10:9c:70:2e:6e:f0"
- ip-address: 10.89.212.11
hostname: Ziggy
hw-address: "44:17:93:53:65:57"
- ip-address: 10.89.212.12
hostname: legacy
hw-address: "00:15:65:a1:ed:98"
- ip-address: 10.89.212.23
hostname: foobarpay
hw-address: "f4:f2:6d:09:a6:73"
- ip-address: 10.89.212.24
hostname: foobackup
hw-address: "bc:24:11:20:1a:a8"
- ip-address: 10.89.212.27
hostname: ender3v2-sonic-pad
hw-address: "fc:ee:91:00:0e:14"
- ip-address: 10.89.212.31
hostname: octopi
hw-address: "b8:27:eb:0f:d8:09"
- ip-address: 10.89.212.32
hostname: 433mhz-bridge
hw-address: "0c:b8:15:fe:e3:34"
- ip-address: 10.89.212.33
hostname: wled-kueche
hw-address: "30:ae:a4:7a:8d:a0"
- ip-address: 10.89.212.34
hostname: wled-serverschrank
hw-address: "18:fe:34:a6:64:76"
- ip-address: 10.89.212.35
hostname: wled-couch
hw-address: "64:b7:08:40:ab:c0"
- ip-address: 10.89.212.36
hostname: laser
hw-address: "b8:27:eb:be:38:fa"
- ip-address: 10.89.212.37
hostname: laser-eth
hw-address: "b8:27:eb:eb:6d:af"
- ip-address: 10.89.212.42
hostname: t-mix
hw-address: "40:a5:ef:d9:eb:93"
- ip-address: 10.89.212.86
hostname: fritz-fon
hw-address: "00:1f:3f:c9:e5:b2"
- ip-address: 10.89.212.211
hostname: hauptraum-esphome
hw-address: "e8:db:84:e8:18:d2"
- ip-address: 10.89.212.212
hostname: werkstatt-esphome
hw-address: "3c:71:bf:26:42:32"
- ip-address: 10.89.212.213
hostname: ir-bridge-beamer
hw-address: "8c:ce:4e:51:93:dd"
- ip-address: 10.89.212.215
hostname: pi-dmx-werkstatt
hw-address: "b8:27:eb:65:e5:31"
- ip-address: 10.89.212.227
hostname: SIP-T46S
hw-address: "80:5e:c0:09:bf:55"
- ip-address: 10.89.212.230
hostname: SIP-T46S
hw-address: "80:5e:c0:22:33:08"
- ip-address: 10.89.212.232
hostname: staubi
hw-address: "b8:4d:43:98:51:2b"
- ip-address: 10.89.212.233
hostname: staubiv2
hw-address: "70:c9:32:82:25:b2"
- ip-address: 10.89.212.234
hostname: AtemMini
hw-address: "7c:2e:0d:13:72:a8"
- ip-address: 10.89.212.235
hostname: okilaser
hw-address: "2c:ff:65:22:b4:63"
- ip-address: 10.89.212.236
hw-address: "b8:27:eb:29:bd:77"
option-data:
- name: routers,
csv-format: true
data: 10.89.212.1
- id: 3
subnet: 10.89.213.0/24
pools:
- pool: "10.89.213.32 - 10.89.213.250"
reservations:
- ip-address: 10.89.213.2
hostname: sw-rack-1
hw-address: "F0:9F:C2:10:C3:AA"
- ip-address: 10.89.213.3
hostname: sw-rack-2-peo
hw-address: "44:d9:e7:06:69:5d"
- ip-address: 10.89.213.4
hostname: sw-main-1
hw-address: "a8:9c:6c:16:df:cc"
- ip-address: 10.89.213.5
hostname: sw-main-2
hw-address: "a8:9c:6c:16:e8:86"
- ip-address: 10.89.213.6
hostname: sw-shop-1
hw-address: "C0:4A:00:FB:DA:C5"
- ip-address: 10.89.213.7
hostname: sw-shop-2-peo
hw-address: "f4:e2:c6:bf:20:ee"
- ip-address: 10.89.213.8
hostname: sw-shop-3-peo
hw-address: "d8:b3:70:85:72:76"
- ip-address: 10.89.213.11
hostname: pve01
hw-address: "38:05:25:30:80:35"
- ip-address: 10.89.213.12
hostname: pve02
hw-address: "b8:85:84:b1:57:b6"
- ip-address: 10.89.213.13
hostname: pve03
hw-address: "98:fa:9b:a2:ed:e8"
- ip-address: 10.89.213.15
hostname: pbs
hw-address: "BC:24:11:D6:2C:81"
- ip-address: 10.89.213.21
hostname: unifi
hw-address: "BC:24:11:25:77:60"
- ip-address: 10.89.213.22
hostname: club-assistant
hw-address: "7a:55:61:c3:a2:89"
- ip-address: 10.89.213.23
hostname: automation
hw-address: "f2:20:75:5a:2f:8c"
- ip-address: 10.89.213.24
hostname: yate
hw-address: "bc:24:11:73:3e:f7"
- ip-address: 10.89.213.25
hostname: ptouch-print-server
hw-address: "bc:24:11:f2:cf:8f"
- ip-address: 10.89.213.26
hostname: mqtt
hw-address: "bc:24:11:48:85:73"
- ip-address: 10.89.213.27
hostname: factorio
hw-address: "bc:24:11:a3:43:7f"
- ip-address: 10.89.213.28
hostname: light
hw-address: "72:61:ea:e6:49:e3"
- ip-address: 10.89.213.29
hostname: homematic
hw-address: "fe:3a:42:77:3a:be"
- ip-address: 10.89.213.30
hostname: proxmox-backup-server
hw-address: "8a:48:dd:a3:22:40"
option-data:
- name: routers,
csv-format: true
data: 10.89.213.1
kea_dhcp__dhcp6:
enable: true
interfaces: [ "netlan.51", "netlan.52", "netlan.54" ]
control-sockets:
- socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "dns-servers"
code: 23
csv-format: true
data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
subnets:
- id: 1
subnet: "2a07:c481:1:33::/64"
pools:
- pool: "2a07:c481:1:33::1:1 - 2a07:c481:1:33::FFFF:FFFF"
- id: 2
subnet: "2a07:c481:1:34::/64"
pools:
- pool: "2a07:c481:1:34::1:1 - 2a07:c481:1:34::FFFF:FFFF"
- id: 3
subnet: "2a07:c481:1:36::/64"
pools:
- pool: "2a07:c481:1:36::1:1 - 2a07:c481:1:36::FFFF:FFFF"
reservations:
- ip-address: "2a07:c481:1:36::2"
hostname: sw-rack-1
hw-address: "F0:9F:C2:10:C3:AA"
- ip-address: "2a07:c481:1:36::3"
hostname: sw-rack-2-peo
hw-address: "44:d9:e7:06:69:5d"
- ip-address: "2a07:c481:1:36::4"
hostname: sw-main-1
hw-address: "a8:9c:6c:16:df:cc"
- ip-address: "2a07:c481:1:36::5"
hostname: sw-main-2
hw-address: "a8:9c:6c:16:e8:86"
- ip-address: "2a07:c481:1:36::6"
hostname: sw-shop-1
hw-address: "C0:4A:00:FB:DA:C5"
- ip-address: "2a07:c481:1:36::7"
hostname: sw-shop-2-peo
hw-address: "f4:e2:c6:bf:20:ee"
- ip-address: "2a07:c481:1:36::8"
hostname: sw-shop-3-peo
hw-address: "d8:b3:70:85:72:76"
- ip-address: "2a07:c481:1:36::b"
hostname: pve01
hw-address: "38:05:25:30:80:35"
- ip-address: "2a07:c481:1:36::c"
hostname: pve02
hw-address: "b8:85:84:b1:57:b6"
- ip-address: "2a07:c481:1:36::d"
hostname: pve03
hw-address: "98:fa:9b:a2:ed:e8"
- ip-address: "2a07:c481:1:36::f"
hostname: pbs
hw-address: "BC:24:11:D6:2C:81"
- ip-address: "2a07:c481:1:36::14"
hostname: unifi
hw-address: "BC:24:11:25:77:60"

3
resources/z9/rt1/nftables/nftables.conf
View file

@ -76,6 +76,9 @@ table inet host {
# Allow DHCP server access. # Allow DHCP server access.
iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access" iifname { $lan_ifs } udp dport 67 accept comment "allow dhcp server access"
# Allow DNS server access from lan_ifs
iifname { $lan_ifs, $if_wg55_management } udp dport 53 accept comment "allow dns server access from lan_ifs"
} }
} }

69
roles/kea_dhcp/defaults/main.yaml Normal file
View file

@ -0,0 +1,69 @@
kea_dhcp__stork_agent:
enable: false
prometheus_only: true
kea_dhcp__version_repo: "kea-3-0"
kea_dhcp__dns_servers:
v6:
- "2a07:c481:0:4::2"
- "2a07:c481:0:4::3"
v4:
- "185.161.128.66"
- "185.161.128.67"
kea_dhcp__include_vars:
kea_dhcp__dhcp4:
enable: false
interfaces: [ ]
control-sockets:
- socket-name: /var/run/kea-dhcp4-ctrl-agent.sock
socket-type: unix
lease-database:
type: memfile
persist: true
option-data:
- name: "domain-name-servers"
code: 6
csv-format: true
data: "{{ kea_dhcp__dns_servers.v4 | join(',') }}"
subnets:
- id: 0
subnet: nil
pools:
- pool: nil
reservations:
- ip-address: nil
hostname: beispiel.test
hw-address: "00:11:22:33:44:55"
option-data:
- name: nil,
code: nil,
csv-format: true
data: nil
kea_dhcp__dhcp6:
enable: false
interfaces: [ ]
lease-database:
type: memfile
persist: true
control-sockets:
- socket-name: /var/run/kea-dhcp6-ctrl-agent.sock
socket-type: unix
option-data:
- name: "dns-servers"
code: 23
csv-format: true
data: "{{ kea_dhcp__dns_servers.v6 | join(',') }}"
subnets:
- id: 0
subnet: nil
pools:
- pool: nil
reservations:
- ip-address: nil
hostname: beispiel.test
hw-address: "00:11:22:33:44:55"
option-data:
- name: nil,
code: nil,
csv-format: true
data: nil

30
roles/kea_dhcp/handlers/main.yml Normal file
View file

@ -0,0 +1,30 @@
---
- name: Systemd.daemon_reload
become: true
ansible.builtin.systemd_service:
daemon_reload: true
- name: Kea_dhcp4.reloaded
ansible.builtin.service:
name: kea-dhcp4
state: restarted
enabled: true
- name: Kea_dhcp6.reloaded
ansible.builtin.service:
name: kea-dhcp6
state: restarted
enabled: true
- name: Kea_ctrl.reloaded
ansible.builtin.systemd:
name: kea-ctrl-agent
state: restarted
enabled: true
- name: Stork_agent.restarted
become: true
ansible.builtin.systemd:
name: isc-stork-agent
state: restarted
enabled: true

125
roles/kea_dhcp/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,125 @@
---
argument_specs:
main:
short_description: "Role for managing Kea DHCP server"
options:
kea_dhcp__stork_agent:
type: "dict"
description: "Configuration for Stork Agent"
options:
enable:
type: "bool"
default: false
prometheus_only:
type: "bool"
default: true
kea_dhcp__version_repo:
type: "str"
description: "Version of Kea DHCP repository to use"
default: "kea-3-0"
kea_dhcp__dns_servers:
type: "dict"
description: "Default DNS servers for DHCP clients"
options:
v6:
type: "list"
elements: "str"
v4:
type: "list"
elements: "str"
kea_dhcp__dhcp4:
type: "dict"
description: "Configuration for DHCPv4 service"
options:
enable:
type: "bool"
default: false
interfaces:
type: "list"
elements: "str"
default: []
control-sockets:
type: "list"
elements: "dict"
lease-database:
type: "dict"
option-data:
type: "list"
elements: "dict"
subnets:
type: "list"
elements: "dict"
options:
id:
type: "int"
subnet:
type: "str"
pools:
type: "list"
elements: "dict"
options:
pool:
type: "str"
reservations:
type: "list"
elements: "dict"
options:
ip-address:
type: "str"
hostname:
type: "str"
hw-address:
type: "str"
duid:
type: "str"
option-data:
type: "list"
elements: "dict"
kea_dhcp__dhcp6:
type: "dict"
description: "Configuration for DHCPv6 service"
options:
enable:
type: "bool"
default: false
interfaces:
type: "list"
elements: "str"
default: []
control-sockets:
type: "list"
elements: "dict"
lease-database:
type: "dict"
option-data:
type: "list"
elements: "dict"
subnets:
type: "list"
elements: "dict"
options:
id:
type: "int"
subnet:
type: "str"
pools:
type: "list"
elements: "dict"
options:
pool:
type: "str"
reservations:
type: "list"
elements: "dict"
options:
ip-address:
type: "str"
hostname:
type: "str"
hw-address:
type: "str"
duid:
type: "str"
option-data:
type: "list"
elements: "dict"

8
roles/kea_dhcp/tasks/install_archlinux.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: Install Kea on Archlinux
when: ansible_facts['distribution'] == "Archlinux"
become: true
community.general.pacman:
name: kea
state: present
update_cache: false

22
roles/kea_dhcp/tasks/install_debian.yml Normal file
View file

@ -0,0 +1,22 @@
---
- name: Register isc-kea apt repository
become: true
register: kea_dhcp_repo
when: ansible_facts['distribution'] == "Debian"
ansible.builtin.deb822_repository:
name: "isc-{{ kea_dhcp__version_repo }}"
uris: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/deb/debian"
suites: any-version
components: main
signed_by: "https://dl.cloudsmith.io/public/isc/{{ kea_dhcp__version_repo }}/gpg.key"
- name: Install Kea packages
become: true
when: ansible_facts['distribution'] == "Debian"
ansible.builtin.apt:
name:
- isc-kea-dhcp4
- isc-kea-dhcp6
- isc-kea-ctrl-agent
- isc-kea-admin
update_cache: "{{ kea_dhcp_install_repo.changed }}"

51
roles/kea_dhcp/tasks/kea.yaml Normal file
View file

@ -0,0 +1,51 @@
---
- name: Include config vars
tags: [ kea, include_vars ]
when: kea_dhcp__include_vars is not None
ansible.builtin.include_vars:
file: "{{ kea_dhcp__include_vars }}"
- name: Deploy kea-dhcp4 configuration file
tags: [ kea, dhcp4 ]
become: true
when: kea_dhcp__dhcp4.enable
ansible.builtin.template:
src: kea-dhcp4.conf.jinja
dest: /etc/kea/kea-dhcp4.conf
backup: true
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-dhcp4 -T %s
notify:
- Kea_dhcp4.reloaded
- name: Deploy kea-dhcp6 configuration file
tags: [ kea, dhcp6 ]
become: true
when: kea_dhcp__dhcp6.enable
ansible.builtin.template:
src: kea-dhcp6.conf.jinja
dest: /etc/kea/kea-dhcp6.conf
backup: true
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-dhcp6 -T %s
notify:
- Kea_dhcp6.reloaded
- name: Copy kea-ctrl-agent configuration file
tags: [ kea, ctrl-agent ]
become: true
when: kea_dhcp__stork_agent.enable
ansible.builtin.template:
src: kea-ctrl-agent.conf.j2
dest: /etc/kea/kea-ctrl-agent.conf
owner: root
group: kea
mode: "u=rw,g=r,o="
validate: kea-ctrl-agent -t %s
notify:
- Kea_ctrl.reloaded
- Stork_agent.restarted

19
roles/kea_dhcp/tasks/main.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: Setup Kea DHCP
tags: [kea, dhcp]
block:
- name: Install Kea on Archlinux
when: ansible_facts['distribution'] == "Archlinux"
ansible.builtin.import_tasks: install_archlinux.yml
- name: Install Kea on Debian
when: ansible_facts['distribution'] == "Debian"
ansible.builtin.import_tasks: install_debian.yml
- name: Configure Kea
ansible.builtin.include_tasks: kea.yaml
- name: Run stork-agent tasks
tags: [stork-agent, monitoring]
when: kea_dhcp__stork_agent.enable
ansible.builtin.include_tasks: stork-agent.yaml

76
roles/kea_dhcp/tasks/stork-agent.yaml Normal file
View file

@ -0,0 +1,76 @@
---
- name: Install stork-agent
tags: [stork-agent]
block:
- name: Install stork-agent on Archlinux
when: ansible_facts['distribution'] == "Archlinux"
tags: [stork-agent, archlinux]
block:
- name: Create stork-agent user
ansible.builtin.user:
name: stork-agent
create_home: false
home: "/var/lib/stork-agent"
shell: "/usr/bin/nologin"
system: true
groups: ["kea"]
append: true
- name: Install stork-agent with aur_pkg_install
ansible.builtin.include_role:
name: aur_pkg_install
vars:
aur_pkg_install__pkg_name: "stork-agent"
aur_pkg_install__git_clone_url: "https://ansible:{{ secret__ansible_git_token }}@git.fux-eg.net/aur-mirror/stork-agent.git"
aur_pkg_install__git_ref: "bf96e34"
- name: Install stork-agent on Debian
when: ansible_facts['distribution'] == "Debian"
tags: [stork-agent, debian]
block:
- name: Register isc-stork apt repository
become: true
register: "kea_dhcp_install_repo"
ansible.builtin.deb822_repository:
name: isc-stork
uris: https://dl.cloudsmith.io/public/isc/stork/deb/debian
suites: any-version
components: main
signed_by: https://dl.cloudsmith.io/public/isc/stork/gpg.key
- name: Install isc-stork-agent
become: true
ansible.builtin.apt:
name: isc-stork-agent
update_cache: "{{ kea_dhcp_install_repo.changed }}"
- name: Add stork-agent user to _kea group on Debian
when: ansible_facts['distribution'] == "Debian"
become: true
ansible.builtin.user:
name: stork-agent
groups: ["_kea"]
append: true
- name: Config for stork-agent
ansible.builtin.template:
src: stork-agent.env.jinja
dest: /etc/stork/agent.env
owner: root
group: root
mode: "0660"
notify:
- Systemd_daemon_reload
- Stork_agent.restarted
- name: Flush handlers
ansible.builtin.meta: flush_handlers
- name: Ensure that stork kea exporter is working
ansible.builtin.uri:
url: "http://localhost:9547/metrics"
method: GET
register: kea_dhcp_stork_status_code
retries: 6
delay: 5
until: kea_dhcp_stork_status_code.status == 200

20
roles/kea_dhcp/templates/kea-ctrl-agent.conf.j2 Normal file
View file

@ -0,0 +1,20 @@
{
"Control-agent": {
"http-host": "127.0.0.1",
"http-port": 8000,
"control-sockets": {
{% if kea_dhcp__dhcp4.enable | default(false) %}
"dhcp4": {
"socket-type": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-type'] }}",
"socket-name": "{{ kea_dhcp__dhcp4['control-sockets'][0]['socket-name'] }}"
}{% if kea_dhcp__dhcp6.enable %},{% endif %}
{% endif %}
{% if kea_dhcp__dhcp6.enable | default(false) %}
"dhcp6": {
"socket-type": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-type'] }}",
"socket-name": "{{ kea_dhcp__dhcp6['control-sockets'][0]['socket-name'] }}"
},
{% endif %}
}
}
}

27
roles/kea_dhcp/templates/kea-dhcp4.conf.jinja Normal file
View file

@ -0,0 +1,27 @@
{
"Dhcp4": {
"interfaces-config": {
"interfaces": {{ kea_dhcp__dhcp4.interfaces | to_nice_json }}
},
"control-sockets": {{ kea_dhcp__dhcp4['control-sockets'] | to_nice_json }},
"lease-database": {{ kea_dhcp__dhcp4['lease-database'] | to_nice_json }},
{% if kea_dhcp__dhcp4['option-data'] is defined and kea_dhcp__dhcp4['option-data'] %}
"option-data": {{ kea_dhcp__dhcp4['option-data'] | to_nice_json }},
{% endif %}
"subnet4": [
{% for subnet in kea_dhcp__dhcp4.subnets %}
{
"id": {{ subnet.id }},
"subnet": "{{ subnet.subnet }}",
"pools": {{ subnet.pools | to_nice_json }},
{% if subnet.reservations is defined and subnet.reservations %}
"reservations": {{ subnet.reservations | to_nice_json }},
{% endif %}
{% if subnet['option-data'] is defined and subnet['option-data'] %}
"option-data": {{ subnet['option-data'] | to_nice_json }}
{% endif %}
}{% if not loop.last %},{% endif %}
{% endfor %}
]
}
}

27
roles/kea_dhcp/templates/kea-dhcp6.conf.jinja Normal file
View file

@ -0,0 +1,27 @@
{
"Dhcp6": {
"interfaces-config": {
"interfaces": {{ kea_dhcp__dhcp6.interfaces | to_nice_json }}
},
"control-sockets": {{ kea_dhcp__dhcp6['control-sockets'] | to_nice_json }},
"lease-database": {{ kea_dhcp__dhcp6['lease-database'] | to_nice_json }},
{% if kea_dhcp__dhcp6['option-data'] is defined and kea_dhcp__dhcp6['option-data'] %}
"option-data": {{ kea_dhcp__dhcp6['option-data'] | to_nice_json }},
{% endif %}
"subnet6": [
{% for subnet in kea_dhcp__dhcp6.subnets %}
{
"id": {{ subnet.id }},
"subnet": "{{ subnet.subnet }}",
"pools": {{ subnet.pools | to_nice_json }},
{% if subnet.reservations is defined and subnet.reservations %}
"reservations": {{ subnet.reservations | to_nice_json }},
{% endif %}
{% if subnet['option-data'] is defined and subnet['option-data'] %}
"option-data": {{ subnet['option-data'] | to_nice_json }}
{% endif %}
}{% if not loop.last %},{% endif %}
{% endfor %}
]
}
}

44
roles/kea_dhcp/templates/stork-agent.env.jinja Normal file
View file

@ -0,0 +1,44 @@
### the IP or hostname to listen on for incoming Stork server connections
# STORK_AGENT_HOST=
### the TCP port to listen on for incoming Stork server connections
# STORK_AGENT_PORT=8081
### listen for commands from the Stork server only, but not for Prometheus requests
# STORK_AGENT_LISTEN_STORK_ONLY=true
{% if kea_dhcp__stork_agent.prometheus_only %}
### listen for Prometheus requests only, but not for commands from the Stork server
STORK_AGENT_LISTEN_PROMETHEUS_ONLY=true
{% endif %}
### settings for exporting stats to Prometheus
### the IP or hostname on which the agent exports Kea statistics to Prometheus
# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_ADDRESS=
### the port on which the agent exports Kea statistics to Prometheus
# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PORT=
## enable or disable collecting per-subnet stats from Kea
# STORK_AGENT_PROMETHEUS_KEA_EXPORTER_PER_SUBNET_STATS=true
### the IP or hostname on which the agent exports BIND 9 statistics to Prometheus
# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_ADDRESS=
### the port on which the agent exports BIND 9 statistics to Prometheus
# STORK_AGENT_PROMETHEUS_BIND9_EXPORTER_PORT=
### Stork Server URL used by the agent to send REST commands to the server during agent registration
# STORK_AGENT_SERVER_URL=
### skip TLS certificate verification when the Stork Agent connects
### to Kea over TLS and Kea uses self-signed certificates
# STORK_AGENT_SKIP_TLS_CERT_VERIFICATION=true
### Logging parameters
### Set logging level. Supported values are: DEBUG, INFO, WARN, ERROR
STORK_LOG_LEVEL=DEBUG
### disable output colorization
# CLICOLOR=false
### path to the hook directory
# STORK_AGENT_HOOK_DIRECTORY=

19
roles/unbound/README.md Normal file
View file

@ -0,0 +1,19 @@
# Unbound DNS resolver
Role fora a validating, recursive, caching DNS resolver based on [Unbound](https://nlnetlabs.nl/projects/unbound/about/).
It is designed to be fast and lean and incorporates modern features based on open standards.
- [Documentation](https://unbound.docs.nlnetlabs.nl/en/latest/)
## Role Customization
The following variables can be used to customize this role:
| Variable | Type | Default | Description |
|------------------------------------------|-----------------|-----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| unbound_install_prometheus_exporter | Boolean | `true` | Whether [Unbound Exporter](https://github.com/letsencrypt/unbound_exporter) should also be installed to expose resolver statistics in prometheus format. |
| unbound_bind_interfaces | List of Strings | `[0.0.0.0, ::]` | List of interface names or IP addresses on which unbound will listen for dns queries |
| unbound_enable_unbound_control | Boolean | `true` | Whether the [remote control](https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/configuration.html#set-up-remote-control) feature of unbound should be configured. |
| unbound_enable_dnssec | Boolean | `true` | Whether dnssec validation should be enabled |
| unbound_access_control | List of Strings | `[]` | **Required** List of [unbound access control values](https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#:~:text=access-control:%20%3CIP%20netblock%3E%20%3Caction%3E) |
| unbound_disable_systemd_networkd | Boolean | `true` | If true, systemd-networkd is disabled and the local system is pointed towards the configured dns resolver. |

7
roles/unbound/defaults/main.yml Normal file
View file

@ -0,0 +1,7 @@
unbound_install_prometheus_exporter: true
unbound_bind_interfaces: [ "0.0.0.0", "::" ]
unbound_disable_systemd_networkd: true
unbound_enable_unbound_control: true
unbound_enable_dnssec: true
unbound_access_control: [ ]
unbound_private_domain: [ ]

1
roles/unbound/files/no-resolved.resolv.conf Normal file
View file

@ -0,0 +1 @@
nameserver 127.0.0.1

27
roles/unbound/handlers/main.yml Normal file
View file

@ -0,0 +1,27 @@
- name: unbound.restarted
tags: [ unbound, dns, dns_resolver ]
become: true
ansible.builtin.systemd:
name: unbound.service
state: restarted
- name: unbound.reloaded
tags: [ unbound, dns, dns_resolver ]
become: true
ansible.builtin.systemd:
name: unbound.service
state: reloaded
- name: prometheus-unbound-exporter.restarted
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
state: restarted
enabled: true
- name: prometheus-unbound-exporter.enabled
become: true
ansible.builtin.systemd:
name: prometheus-unbound-exporter.service
enabled: true
daemon_reload: true

63
roles/unbound/tasks/main.yml Normal file
View file

@ -0,0 +1,63 @@
- name: unbound role main
tags: [ unbound, dns, dns_resolver ]
block:
- name: install unbound dns resolver
become: true
ansible.builtin.package:
name: unbound
- name: install extra dns tooling
become: true
ansible.builtin.package:
name: [ bind ] # the bind package includes tools like dig in archlinux
- name: ensure correct directory permissions
become: true
ansible.builtin.file:
path: /etc/unbound
state: directory
mode: u=rwX,g=rX,o=rX
recurse: true
owner: unbound
group: unbound
- name: configure unbound dns resolver
become: true
notify: unbound.restarted
ansible.builtin.template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
- name: ensure unbound is running and enabled
become: true
ansible.builtin.systemd:
name: unbound.service
state: started
enabled: true
- name: disable systemd-resolved
become: true
when: unbound_disable_systemd_networkd
ansible.builtin.systemd:
name: systemd-resolved.service
state: stopped
enabled: false
- name: configure system resolver to point to local unbound
become: true
when: unbound_disable_systemd_networkd
ansible.builtin.copy:
src: no-resolved.resolv.conf
dest: /etc/resolv.conf
owner: unbound
group: unbound
mode: u=rw,g=r,o=r
- name: install and configure prometheus-exporter for unbound
ansible.builtin.import_tasks: prometheus-exporter.yml
when: unbound_install_prometheus_exporter

17
roles/unbound/tasks/prometheus-exporter.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: install unbound prometheus exporter
become: true
ansible.builtin.package:
name: prometheus-unbound-exporter
notify: prometheus-unbound-exporter.enabled
- name: configure unbound exporter
become: true
ansible.builtin.copy:
dest: /etc/conf.d/prometheus-unbound-exporter
content: |
UNBOUND_EXPORTER_ARGS="-unbound.ca "" -unbound.cert "" -unbound.host "unix:///run/unbound-control.sock"
owner: root
group: root
mode: '0660'
notify: prometheus-unbound-exporter.restarted

73
roles/unbound/templates/unbound.conf.j2 Normal file
View file

@ -0,0 +1,73 @@
# ref: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
# unbound.conf(5) man page
server:
{% if unbound_enable_dnssec -%}
# disable chroot because unbound is the only thing running on the VM
# and because it has issues with how archlinux configures the systemd units write protection regarding the anchor file
chroot: ""
# location of the trust anchor file that enables DNSSEC
# this file is generated by the `unbound-anchor` command
auto-trust-anchor-file: "/etc/unbound/trusted-key.key"
{% endif -%}
# use all CPUs
num-threads: 2
# more cache memory
rrset-cache-size: 60m
msg-cache-size: 30m
# prefetch to keep the cache up to date
prefetch: yes
# fetch the DNSKEYs earlier in the validation process, when a DS record is encountered
prefetch-key: yes
# Faster UDP with multithreading (only on Linux).
so-reuseport: yes
# disable special large send buffer handling and just use kernel defaults
so-sndbuf: 0
# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes
# specify the interface to answer queries from by ip-address.
{% for i in unbound_bind_interfaces -%}
interface: "{{ i }}"
{% endfor %}
# addresses from the IP range that are allowed to connect to the resolver
{% for i in unbound_access_control -%}
access-control: {{ i }}
{% endfor -%}
{% for i in unbound_private_domain -%}
private-domain: {{ i }}
{% endfor -%}
# The number of seconds between printing statistics to the log for every thread.
statistics-interval: 0
# Extended statistics are printed, Keeping track of more statistics takes time.
extended-statistics: yes
remote-control:
control-enable: {{ "yes" if unbound_enable_unbound_control else "no" }}
control-interface: /run/unbound-control.sock
# configure some zones for which this resolver will act authoritatively
# https://www.dns.icann.org/services/axfr/
{% for i in [ ".", "in-addr.arpa.", "arpa.", "root-servers.net.", "ip6.arpa.", "ip6-servers.arpa.", "mcast.net." ] %}
auth-zone:
name: "{{ i }}"
primary: "lax.xfr.dns.icann.org"
primary: "iad.xfr.dns.icann.org"
fallback-enabled: yes
for-downstream: no
for-upstream: yes
{% endfor %}