commit e90a84c7444d91b0ba29d2bad235e961997c8760 Author: a Date: Thu Aug 1 23:27:30 2024 -0500 noot diff --git a/ansible/.gitignore b/ansible/.gitignore new file mode 100644 index 0000000..e845c18 --- /dev/null +++ b/ansible/.gitignore @@ -0,0 +1 @@ +inventory diff --git a/ansible/Makefile b/ansible/Makefile new file mode 100644 index 0000000..0163a5c --- /dev/null +++ b/ansible/Makefile @@ -0,0 +1,10 @@ +.PHONY: all dns lb + +ANSIBLE_ROOT=ansible-playbook playbook.yml -i inventory + +all: + $(ANSIBLE_ROOT) +lb: + $(ANSIBLE_ROOT) --tags "lb" +dns: + $(ANSIBLE_ROOT) --tags "dns" diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg new file mode 100644 index 0000000..9697e59 --- /dev/null +++ b/ansible/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +nocows=true diff --git a/ansible/assets/index.html b/ansible/assets/index.html new file mode 100644 index 0000000..4a82c54 --- /dev/null +++ b/ansible/assets/index.html @@ -0,0 +1,10 @@ + + + + mydns + + +

dns server

+ + + diff --git a/ansible/files/dns.Caddyfile b/ansible/files/dns.Caddyfile new file mode 100644 index 0000000..9dce884 --- /dev/null +++ b/ansible/files/dns.Caddyfile @@ -0,0 +1,21 @@ +{ + admin "unix//run/caddy/admin.socket" + email a@tuxpa.in +} + +{{hostvars[inventory_hostname].public_dns}} { + route /dns-query { + respond "hello" 200 + } + + handle { + root * /var/www + rewrite * index.html + file_server + } +} + +:80 { + respond "ok" +} +# vi: ft=caddyfile diff --git a/ansible/files/haproxy.cfg b/ansible/files/haproxy.cfg new file mode 100644 index 0000000..bccccfa --- /dev/null +++ b/ansible/files/haproxy.cfg @@ -0,0 +1,39 @@ +global + log /dev/log local0 alert + log /dev/log local1 alert + chroot /var/lib/haproxy + stats socket /run/haproxy/admin.sock mode 660 level admin + stats timeout 30s + user haproxy + group haproxy + daemon + + # Default SSL material locations + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets + +frontend websecure + mode tcp + bind :443 + default_backend websecure_servers + timeout connect 5s + +frontend web + mode tcp + bind :80 + default_backend web_servers + timeout connect 5s + +backend websecure_servers + mode tcp + balance leastconn +{% for host in dns_ord %} + server s{{loop.index}} {{ hostvars[host].internal_ip }} +{% endfor %} + + diff --git a/ansible/files/lb.Caddyfile b/ansible/files/lb.Caddyfile new file mode 100644 index 0000000..7b4ee10 --- /dev/null +++ b/ansible/files/lb.Caddyfile @@ -0,0 +1,24 @@ +{ + admin "unix//run/caddy/admin.socket" + email a@tuxpa.in +} + +{{hostvars[inventory_hostname]['public_dns']}} mydns.gay { + route / { + respond "mainpage" 200 + } + + route /dns-query { + respond "hello" 200 + } + {% for host in groups["dns_ord"] %} + "{{ hostvars[host].inventory_hostname }}{{ hostvars[host].ansible_default_ipv4.address }}|cmk-agent|prod|lan|tcp|wato|/" + FOLDER_PATH + "/", + {% endfor %} + + handle { + root * /var/www + rewrite * index.html + file_server + } +} +# vi: ft=caddyfile diff --git a/ansible/files/sdns.conf b/ansible/files/sdns.conf new file mode 100644 index 0000000..2a03e46 --- /dev/null +++ b/ansible/files/sdns.conf @@ -0,0 +1,194 @@ +# Config version, config and build versions can be different. +version = "1.3.3" + +# Sets the sdns working directory. The directory must have write access for sdns's user. +directory = "/var/lib/sdns" + +# Address to bind to for the DNS server. +bind = "localhost:1053" + +# Address to bind to for the DNS-over-TLS server. +# bindtls = ":853" + +# Address to bind to for the DNS-over-HTTPS server. +# binddoh = ":443" + +# Address to bind to for the DNS-over-QUIC server. +# binddoq = ":853" + +# TLS certificate file. +# tlscertificate = "server.crt" + +# TLS private key file. +# tlsprivatekey = "server.key" + +# Outbound IPv4 addresses, if you set multiple, sdns can use a random outbound IPv4 address by request based. +outboundips = [ +] + +# Outbound IPv6 addresses, if you set multiple, sdns can use a random outbound IPv6 address by request based. +outboundip6s = [ +] + +# Root zone IPv4 servers +rootservers = [ + "198.41.0.4:53", + "199.9.14.201:53", + "192.33.4.12:53", + "199.7.91.13:53", + "192.203.230.10:53", + "192.5.5.241:53", + "192.112.36.4:53", + "198.97.190.53:53", + "192.36.148.17:53", + "192.58.128.30:53", + "193.0.14.129:53", + "199.7.83.42:53", + "202.12.27.33:53" +] + +# Root zone IPv6 servers +root6servers = [ + "[2001:503:ba3e::2:30]:53", + "[2001:500:200::b]:53", + "[2001:500:2::c]:53", + "[2001:500:2d::d]:53", + "[2001:500:a8::e]:53", + "[2001:500:2f::f]:53", + "[2001:500:12::d0d]:53", + "[2001:500:1::53]:53", + "[2001:7fe::53]:53", + "[2001:503:c27::2:30]:53", + "[2001:7fd::1]:53", + "[2001:500:9f::42]:53", + "[2001:dc3::35]:53" +] + +# Trusted anchors for DNSSEC +rootkeys = [ + ". 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" +] + +# Failover resolver IPv4 or IPv6 addresses with port, left blank for disabled. +# fallbackservers = [ +# "8.8.8.8:53", +# "[2001:4860:4860::8888]:53" +# ] +fallbackservers = [ +] + +# Forwarder resolver IPv4 or IPv6 addresses with port, left blank for disabled. +# forwarderservers = [ +# "8.8.8.8:53", +# "[2001:4860:4860::8888]:53", +# "tls://8.8.8.8:853" +# ] +forwarderservers = [ +] + +# Address to bind to for the HTTP API server, left blank for disabled. +api = "127.0.0.1:8053" + +# What kind of information should be logged, Log verbosity level [crit, error, warn, info, debug]. +loglevel = "info" + +# The location of the access log file, left blank for disabled. SDNS uses Common Log Format by default. +# accesslog = "" + +# List of remote blocklists address list. All lists will be downloaded to the blocklist folder. +# blocklists = [ +# "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts", +# "http://sysctl.org/cameleon/hosts", +# "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt", +# "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt" +# ] +blocklists = [ +] + +# [DEPRECATED] This will be ignored. The directory will be created under the working directory automatically. +blocklistdir = "" + +# IPv4 address to forward blocked queries to. +nullroute = "0.0.0.0" + +# IPv6 address to forward blocked queries to. +nullroutev6 = "::0" + +# Which clients are allowed to make queries. +accesslist = [ + "0.0.0.0/0", + "::0/0" +] + +# Enables serving zone data from a hosts file, left blank for disabled. +# The form of the entries in the /etc/hosts file is based on IETF RFC 952, which was updated by IETF RFC 1123. +hostsfile = "/etc/hosts" + +# Specifies the network timeout duration for each DNS lookup. +timeout = "2s" + +# Defines the maximum duration to wait for each DNS query to respond. +querytimeout = "10s" + +# Default error cache TTL in seconds. +expire = 600 + +# Cache size (total records in cache). +cachesize = 256000 + +# Cache prefetch before expire. The default threshold is 10%, 0 for disabled. +# The threshold percent should be between 10% ~ 90%. +prefetch = 10 + +# Maximum iteration depth for a query. +maxdepth = 30 + +# Query-based ratelimit per second, 0 for disabled. +ratelimit = 0 + +# Client IP address-based ratelimit per minute, 0 for disabled. +clientratelimit = 0 + +# Manual blocklist entries. +# blocklist = [ +# "example.com", +# "example.net" +# ] +blocklist = [ +] + +# Whitelist entries. +# whitelist = [ +# "example.com", +# "example.net" +# ] +whitelist = [ +] + +# DNS server identifier (RFC 5001), it's useful while operating multiple sdns. Left blank for disabled. +nsid = "" + +# Enable to answer version.server, version.bind, hostname.bind, id.server chaos queries. +chaos = true + +# Qname minimization level. If higher, it can be more complex and impact the response performance. +# If set to 0, qname minimization will be disabled. +qname_min_level = 5 + +# Empty zones return an answer for RFC 1918 zones. Please see http://as112.net/ +# for details of the problems you are causing and the countermeasures that have had to be deployed. +# If the list is empty, SDNS will use default zones described at RFC. +# emptyzones = [ +# "10.in-addr.arpa." +# ] +emptyzones = [ +] + +# You can add your own plugins to sdns. The plugin order is very important. +# Plugins can be loaded before the cache middleware. +# Config keys should be strings, and values can be anything. +# There is an example plugin at https://github.com/semihalev/sdnsexampleplugin +# [plugins] +# [plugins.example] +# path = "exampleplugin.so" +# config = {key_1 = "value_1", key_2 = 2, key_3 = true} diff --git a/ansible/inventory.example b/ansible/inventory.example new file mode 100644 index 0000000..2c2d31e --- /dev/null +++ b/ansible/inventory.example @@ -0,0 +1,9 @@ +# vi: ft=yaml +dnsserver: + hosts: + 127.0.0.1: + vars: +lb: + hosts: + 127.0.0.1: + vars: diff --git a/ansible/playbook.yml b/ansible/playbook.yml new file mode 100644 index 0000000..b16aa80 --- /dev/null +++ b/ansible/playbook.yml @@ -0,0 +1,31 @@ +#vi ft: yaml.ansible +--- +- hosts: + - dns_ord + tags: ["dns"] + tasks: + - import_tasks: ./tasks/debian.yml + - import_tasks: ./tasks/caddy.yml + - import_tasks: ./tasks/caddy-dns.yml + - import_tasks: ./tasks/dns.yml + handlers: + - name: restart sdns + service: name=sdns state=restarted enabled=yes + listen: "restart sdns" + - name: reload caddy + service: name=caddy state=restarted enabled=yes + listen: "reload caddy" +- hosts: lb_ord + tags: ["lb"] + tasks: + - import_tasks: ./tasks/debian.yml + - import_tasks: ./tasks/caddy.yml + - import_tasks: ./tasks/caddy-lb.yml + - import_tasks: ./tasks/envoy.yml + handlers: + - name: reload caddy + service: name=caddy state=restarted enabled=yes + listen: "reload caddy" + - name: restart sshd + service: name=sshd state=restarted enabled=yes + listen: "restart sshd" diff --git a/ansible/tasks/caddy-dns.yml b/ansible/tasks/caddy-dns.yml new file mode 100644 index 0000000..4cd4426 --- /dev/null +++ b/ansible/tasks/caddy-dns.yml @@ -0,0 +1,6 @@ +# vi: ft=yaml.ansible +- name: copy caddy config + template: + src: "{{ playbook_dir }}/files/dns.Caddyfile" + dest: "/etc/caddy/Caddyfile" + notify: "reload caddy" diff --git a/ansible/tasks/caddy-lb.yml b/ansible/tasks/caddy-lb.yml new file mode 100644 index 0000000..5f92b7f --- /dev/null +++ b/ansible/tasks/caddy-lb.yml @@ -0,0 +1,6 @@ +# vi: ft=yaml.ansible +- name: copy caddy config + template: + src: "{{ playbook_dir }}/files/lb.Caddyfile" + dest: "/etc/caddy/Caddyfile" + notify: "reload caddy" diff --git a/ansible/tasks/caddy.yml b/ansible/tasks/caddy.yml new file mode 100644 index 0000000..2d9b28f --- /dev/null +++ b/ansible/tasks/caddy.yml @@ -0,0 +1,24 @@ +# vi: ft=yaml.ansible +- name: install caddy + apt: + deb: https://github.com/caddyserver/caddy/releases/download/v2.8.4/caddy_2.8.4_linux_amd64.deb +- name: ensure /run/caddy exists + file: + path: /run/caddy + state: directory + mode: '0755' + owner: caddy + group: caddy +- name: ensure /var/www exists + file: + path: /var/www/site + state: directory + mode: '0755' + owner: caddy + group: caddy +- name: copy index.html + template: + src: "{{ playbook_dir }}/assets/index.html" + dest: "/var/www/site/index.html" +- name: ensure caddy is running + service: name=caddy state=started enabled=yes diff --git a/ansible/tasks/debian.yml b/ansible/tasks/debian.yml new file mode 100644 index 0000000..c3a3684 --- /dev/null +++ b/ansible/tasks/debian.yml @@ -0,0 +1,31 @@ +# vi: ft=yaml.ansible +- name: update repos + become: true + apt: + upgrade: yes + update_cache: yes + cache_valid_time: 12800 +- pam_limits: + domain: '*' + limit_type: soft + limit_item: nofile + value: 1280000 +- name: install ntp + apt: pkg=ntp state=present +- name: install vim + apt: pkg=vim state=present +- name: install python3 + apt: pkg=python3 state=present +- name: install build-essential + apt: pkg=build-essential state=present +- name: ensure ntp is running + service: name=ntp state=started enabled=yes +- name: Disallow SSH password authentication + lineinfile: + dest: /etc/ssh/sshd_config + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication no" + state: present + validate: sshd -t -f %s + notify: + - restart sshd diff --git a/ansible/tasks/dns.yml b/ansible/tasks/dns.yml new file mode 100644 index 0000000..e65e63a --- /dev/null +++ b/ansible/tasks/dns.yml @@ -0,0 +1,10 @@ +- name: install sdns + apt: + deb: https://github.com/semihalev/sdns/releases/download/v1.3.7/sdns_1.3.7_x86_64.deb +- name: copy sdns config + copy: + src: "{{ playbook_dir }}/files/sdns.conf" + dest: "/etc/sdns.conf" + notify: "restart sdns" +- name: ensure sdns is running + service: name=sdns state=started enabled=yes