diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index d55fd60..be601da 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -36,3 +36,16 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org' matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" matrix_discord_client_id: "559305991494303747" matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" + +### +# DNS +### + +# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque +# résidence. +dns_host_suffix_main: 253 +dns_host_suffix_backup: 153 + +backup_dns_servers: + - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + diff --git a/hosts b/hosts index 8bdbb48..f1ac5fd 100644 --- a/hosts +++ b/hosts @@ -149,18 +149,27 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re +dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[recursive_dns] +[recursive_dns:children] +rdns_main +rdns_backup + +[rdns_main] dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re +dns-pacaterie.adm.auro.re + +[rdns_backup] +dns-fleming-backup.adm.auro.re +dns-pacaterie-backup.adm.auro.re + + +# FIXME: #dns-edc.adm.auro.re #dns-gs.adm.auro.re diff --git a/network.yml b/network.yml index 70c5641..9e8980c 100644 --- a/network.yml +++ b/network.yml @@ -17,8 +17,6 @@ # Deploy unbound DNS server (recursive). - hosts: recursive_dns - vars: - - dns_host_suffix: 253 roles: - unbound diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 9b166c2..f0a35fe 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,4 +1,3 @@ -# dhcpd.conf # {{ ansible_managed }} default-lease-time 86400; @@ -8,8 +7,6 @@ max-lease-time 86400; # The MTU theoretically could go as high as 1496 (4-byte VLAN tag). option interface-mtu 1400; -# XXX: hardcoded DNS for now -option domain-name-servers 80.67.169.12, 1.1.1.1; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will @@ -24,8 +21,6 @@ authoritative; log-facility local7; - -# TODO: move this failover peer declaration to a separate file and include it. {% if dhcp_failover is defined %} include "/etc/dhcp/dhcp-failover.conf"; {% endif %} @@ -38,6 +33,8 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.ap }}.0.250; option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; + + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -51,6 +48,9 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wired }}.0.240; option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; deny unknown-clients; @@ -65,6 +65,9 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wifi }}.0.240; option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { @@ -76,4 +79,3 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { } } - diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 6358173..18f99ce 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,5 +1,15 @@ --- +# This is used to let unbound bind to the right IP addresses. +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_main }}" + when: "'rdns_main' in group_names" + +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_backup }}" + when: "'rdns_backup' in group_names" + + - name: install unbound apt: update_cache: true @@ -18,7 +28,6 @@ dest: /etc/unbound/unbound.conf.d/recursive.conf mode: 0644 - - name: restart unbound after editing config systemd: state: restarted diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index f650b6c..ebfd445 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -1,7 +1,16 @@ +# {{ ansible_managed }} + server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes + # Only log errors. + verbosity: 0 + + # "" sends logs to stderr, journalctl will pick things up. + logfile: "" + + do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index b2d7672..ee9a1cf 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} +# # Unbound configuration file for Debian. # # See the unbound.conf(5) man page.