diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml index 9191e8b..dc91e90 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -7,39 +7,36 @@ knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1" knot__remotes: - id: ns-intern.hamburg.ccc.de address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ] - - id: ns.vie.ccc.de - address: [ "2a02:1b8:10:31::228", "146.255.57.228" ] knot__catalog_zones: - domain: "hamburg.ccc.de.catalog." - notify_targets: [ "ns.vie.ccc.de" ] knot__zones: - domain: "hh.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}" - domain: "ccchh.net." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/ccchh.net.zone') }}" - domain: "hamburg.ccc.de." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}" - domain: "eh20.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone') }}" - domain: "eh22.easterhegg.eu." catalog_member: "hamburg.ccc.de.catalog." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." - notify_targets: [ "ns-intern.hamburg.ccc.de", "ns.vie.ccc.de" ] + notify_targets: [ "ns-intern.hamburg.ccc.de" ] content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index ad866cc..a3b047b 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -3,98 +3,69 @@ hosts: base_config_hosts roles: - base_config - tags: - - base_config - name: Ensure systemd-networkd config deployment on systemd_networkd_hosts hosts: systemd_networkd_hosts roles: - systemd_networkd - tags: - - systemd_networkd - name: Ensure nftables deployment on nftables_hosts hosts: nftables_hosts roles: - nftables - tags: - - nftables - name: Ensure deployment of infrastructure authorized keys hosts: infrastructure_authorized_keys_hosts roles: - infrastructure_authorized_keys - tags: - - infrastructure_authorized_keys - name: Ensure Nextcloud config hosts: nextcloud_hosts roles: - nextcloud - tags: - - nextcloud - name: Ensure ola deployment on ola_hosts hosts: ola_hosts roles: - ola - tags: - - ola - name: Ensure foobazdmx deployment on foobazdmx_hosts hosts: foobazdmx_hosts roles: - foobazdmx - tags: - - foobazdmx - name: Ensure Dokuwiki config hosts: wiki_hosts roles: - dokuwiki - tags: - - dokuwiki - name: Ensure NetBox deployment on netbox_hosts hosts: netbox_hosts roles: - netbox - tags: - - netbox - name: Ensure NGINX deployment on nginx_hosts, which are also public_reverse_proxy_hosts, before certbot role runs hosts: nginx_hosts:&public_reverse_proxy_hosts roles: - nginx - tags: - - nginx - - public_reverse_proxy - name: Ensure certbot and certificate deployment on certbot_hosts hosts: certbot_hosts roles: - certbot - tags: - - certbot - name: Ensure OnlyOffice custom fonts ansible.builtin.import_playbook: onlyoffice_fonts.yaml - tags: - - onlyoffice_fonts - name: Ensure Docker Compose deployment on docker_compose_hosts hosts: docker_compose_hosts roles: - docker_compose - tags: - - docker_compose - name: Ensure NGINX deployment on nginx_hosts hosts: nginx_hosts:!public_reverse_proxy_hosts roles: - nginx - tags: - - nginx - name: Configure unattended upgrades for all non-hypervisors hosts: all:!hypervisors @@ -106,46 +77,32 @@ - "o=${distro_id},n=${distro_codename}" - "o=Docker,n=${distro_codename}" - "o=nginx,n=${distro_codename}" - tags: - - unattended_upgrades - name: Ensure Alloy is installed and Setup on alloy_hosts hosts: alloy_hosts become: true roles: - alloy - tags: - - alloy - name: Ensure ansible_pull deployment on ansible_pull_hosts hosts: ansible_pull_hosts roles: - ansible_pull - tags: - - ansible_pull - name: Ensure msmtp is setup on msmtp_hosts hosts: msmtp_hosts roles: - msmtp - tags: - - msmtp - name: Ensure Renovate is setup on renovate_hosts hosts: renovate_hosts roles: - renovate - tags: - - renovate - name: Run ensure_eh22_styleguide_dir Playbook ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml - tags: - - eh22_styleguide_dir - name: Setup authoritative dns servers hosts: auth-dns roles: - knot - tags: - - knot diff --git a/playbooks/maintenance.yaml b/playbooks/maintenance.yaml index 9fe3886..c912a53 100644 --- a/playbooks/maintenance.yaml +++ b/playbooks/maintenance.yaml @@ -1,7 +1,5 @@ - name: Ensure NGINX repo setup and nginx install on relevant hosts hosts: nginx_hosts:nextcloud_hosts - tags: - - nextcloud_nginx tasks: - name: Ensure NGINX repo is setup ansible.builtin.include_role: @@ -15,8 +13,6 @@ - name: Ensure Docker repo setup and package install on relevant hosts hosts: docker_compose_hosts:nextcloud_hosts - tags: - - nextcloud_docker tasks: - name: Ensure Docker repo is setup ansible.builtin.include_role: @@ -32,8 +28,6 @@ hosts: all:!hypervisors roles: - apt_update_and_upgrade - tags: - - apt_update_and_upgrade - name: Run deploy Playbook ansible.builtin.import_playbook: deploy.yaml diff --git a/resources/external/status/docker_compose/config/services-chaosknoten.yaml b/resources/external/status/docker_compose/config/services-chaosknoten.yaml index ab426bc..74991b7 100644 --- a/resources/external/status/docker_compose/config/services-chaosknoten.yaml +++ b/resources/external/status/docker_compose/config/services-chaosknoten.yaml @@ -57,33 +57,6 @@ endpoints: # apparently TXT records aren't supported yet. # - "[BODY] == ________________gatus_test_________________" - - name: auth-dns (hamburg.ccc.de) - url: "auth-dns.hamburg.ccc.de" - <<: *services_chaosknoten_defaults - dns: - query-name: "hamburg.ccc.de" - query-type: "A" - conditions: - - "[DNS_RCODE] == NOERROR" - - - name: auth-dns (eh22.easterhegg.eu) - url: "auth-dns.hamburg.ccc.de" - <<: *services_chaosknoten_defaults - dns: - query-name: "eh22.easterhegg.eu" - query-type: "A" - conditions: - - "[DNS_RCODE] == NOERROR" - - - name: auth-dns (club-assistant.ccchh.net) - url: "auth-dns.hamburg.ccc.de" - <<: *services_chaosknoten_defaults - dns: - query-name: "club-assistant.ccchh.net" - query-type: "AAAA" - conditions: - - "[DNS_RCODE] == NOERROR" - - name: CCCHH ID/Keycloak (main page/account console) url: "https://id.hamburg.ccc.de/" <<: *services_chaosknoten_defaults diff --git a/resources/external/status/docker_compose/config/websites.yaml b/resources/external/status/docker_compose/config/websites.yaml index 7ac34a2..78426f6 100644 --- a/resources/external/status/docker_compose/config/websites.yaml +++ b/resources/external/status/docker_compose/config/websites.yaml @@ -76,14 +76,6 @@ endpoints: - "[CERTIFICATE_EXPIRATION] > 48h" - "[BODY] == pat(*Digitale Selbstverteidigung in Hamburg*)" - - name: diday.org - url: "https://diday.org" - <<: *websites_defaults - conditions: - - "[STATUS] == 200" - - "[CERTIFICATE_EXPIRATION] > 48h" - - "[BODY] == pat(*DIDay*)" - - name: element-admin.hamburg.ccc.de url: "https://element-admin.hamburg.ccc.de" <<: *websites_defaults diff --git a/roles/deploy_systemd_resolved_config/handlers/main.yaml b/roles/deploy_systemd_resolved_config/handlers/main.yaml index 05b7521..b40760b 100644 --- a/roles/deploy_systemd_resolved_config/handlers/main.yaml +++ b/roles/deploy_systemd_resolved_config/handlers/main.yaml @@ -1,5 +1,6 @@ --- - name: "reload systemd-resolved" + tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/disable.yaml b/roles/deploy_systemd_resolved_config/tasks/disable.yaml index afa646a..9092116 100644 --- a/roles/deploy_systemd_resolved_config/tasks/disable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/disable.yaml @@ -1,11 +1,13 @@ --- - name: Ensure /etc/resolv.conf is a plain file + tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.file: path: "/etc/resolv.conf" state: file - name: Write nameserver config directly into /etc/resolv.conf + tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.template: src: "resolv.conf.j2" @@ -15,6 +17,7 @@ mode: u=rw,g=r,o=r - name: Disable systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: "systemd-resolved.service" diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml index 2659c32..9a7438e 100644 --- a/roles/deploy_systemd_resolved_config/tasks/enable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -1,11 +1,13 @@ --- - name: Ensure systemd-resolved is installed + tags: [ "deploy_systemd_resolved_config" ] become: true when: ansible_facts["distribution"] == "Debian" ansible.builtin.package: name: [ "systemd-resolved" ] - name: Deploy systemd-resolved config + tags: [ "deploy_systemd_resolved_config" ] become: true notify: "reload systemd-resolved" ansible.builtin.template: @@ -16,6 +18,7 @@ mode: u=rw,g=r,o=r - name: Make /etc/resolv.conf points to systemd-resolved + tags: [ "deploy_systemd_resolved_config" ] become: true when: deploy_systemd_resolved_config__mode != "extern" ansible.builtin.file: # noqa: jinja @@ -32,6 +35,7 @@ {%- endif -%} - name: Ensure systemd-resolved is running and enabled + tags: [ "deploy_systemd_resolved_config" ] become: true ansible.builtin.systemd: name: systemd-resolved.service diff --git a/roles/deploy_systemd_resolved_config/tasks/main.yaml b/roles/deploy_systemd_resolved_config/tasks/main.yaml index 00558dc..00bc293 100644 --- a/roles/deploy_systemd_resolved_config/tasks/main.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/main.yaml @@ -1,8 +1,10 @@ --- - name: Include enable.yaml + tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: enable.yaml when: deploy_systemd_resolved_config__enable - name: Include disable.yaml + tags: [ "deploy_systemd_resolved_config" ] ansible.builtin.include_tasks: disable.yaml when: not deploy_systemd_resolved_config__enable diff --git a/roles/knot/handlers/main.yaml b/roles/knot/handlers/main.yaml index feb3ceb..38fce75 100644 --- a/roles/knot/handlers/main.yaml +++ b/roles/knot/handlers/main.yaml @@ -1,16 +1,19 @@ --- - name: reload knot + tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot.service state: reloaded - name: netplan apply + tags: [ auth-dns ] become: true changed_when: true ansible.builtin.command: "netplan apply" - name: restart knot-exporter + tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service diff --git a/roles/knot/tasks/01-install.yaml b/roles/knot/tasks/01-install.yaml index 8a5feed..0a269d6 100644 --- a/roles/knot/tasks/01-install.yaml +++ b/roles/knot/tasks/01-install.yaml @@ -1,5 +1,6 @@ --- - name: Install knot + tags: [ auth-dns ] become: true ansible.builtin.package: name: diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml index a2a8e55..2b0b0fa 100644 --- a/roles/knot/tasks/02-configure.yaml +++ b/roles/knot/tasks/02-configure.yaml @@ -1,5 +1,6 @@ --- - name: Ensure required directories exist + tags: [ auth-dns ] become: true loop: [ "/etc/knot", "/etc/knot/zones" ] ansible.builtin.file: @@ -10,6 +11,7 @@ mode: u=rwx,g=rx,o= - name: Deploy knot configuration file + tags: [ auth-dns ] become: true notify: reload knot ansible.builtin.template: @@ -20,6 +22,7 @@ mode: u=rw,g=r,o= - name: Deploy configured zones + tags: [ auth-dns ] become: true notify: reload knot loop: "{{ knot__zones }}" @@ -39,6 +42,7 @@ # this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one. # so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled - name: Disable IPv6 SLAAC + tags: [ auth-dns ] become: true notify: netplan apply ansible.builtin.template: diff --git a/roles/knot/tasks/03-configure-exporter.yaml b/roles/knot/tasks/03-configure-exporter.yaml index 8077ecd..4254acb 100644 --- a/roles/knot/tasks/03-configure-exporter.yaml +++ b/roles/knot/tasks/03-configure-exporter.yaml @@ -1,4 +1,5 @@ - name: Deploy knot-exporter systemd unit + tags: [ auth-dns ] become: true register: knot_deploy_service_file notify: restart knot-exporter @@ -10,6 +11,7 @@ mode: u=rw,g=r,o=r - name: Ensure knot-exporter is running and enabled + tags: [ auth-dns ] become: true ansible.builtin.systemd: name: knot-exporter.service diff --git a/roles/knot/templates/knot.conf.j2 b/roles/knot/templates/knot.conf.j2 index 45a0f8d..c661e25 100644 --- a/roles/knot/templates/knot.conf.j2 +++ b/roles/knot/templates/knot.conf.j2 @@ -67,7 +67,8 @@ template: # template for automatically created special zones - id: catalog catalog-role: generate - dnssec-signing: off + dnssec-signing: on + dnssec-policy: default # define zones on this server