From 7275ebda47f48df7af5d3f553e6c2034bc281dcb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:39:32 +0200 Subject: [PATCH 1/8] dhcp: ask clients to use our DNS servers --- group_vars/all/vars.yml | 14 ++++++++++++++ network.yml | 2 -- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 14 ++++++++------ 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index d55fd60..0cb89fc 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -36,3 +36,17 @@ monitoring_mail: 'monitoring.aurore@lists.crans.org' matrix_webhooks_secret: "{{ vault_matrix_webhooks_secret }}" matrix_discord_client_id: "559305991494303747" matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" + +### +# DNS +### + +# Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque +# résidence. +dns_host_suffix: 253 + +upstream_dns_servers: + - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) + - "1.1.1.1" # Cloudflare + + diff --git a/network.yml b/network.yml index 70c5641..9e8980c 100644 --- a/network.yml +++ b/network.yml @@ -17,8 +17,6 @@ # Deploy unbound DNS server (recursive). - hosts: recursive_dns - vars: - - dns_host_suffix: 253 roles: - unbound diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 9b166c2..47da1d9 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -1,4 +1,3 @@ -# dhcpd.conf # {{ ansible_managed }} default-lease-time 86400; @@ -8,8 +7,6 @@ max-lease-time 86400; # The MTU theoretically could go as high as 1496 (4-byte VLAN tag). option interface-mtu 1400; -# XXX: hardcoded DNS for now -option domain-name-servers 80.67.169.12, 1.1.1.1; option root-path "/"; # The ddns-updates-style parameter controls whether or not the server will @@ -24,8 +21,6 @@ authoritative; log-facility local7; - -# TODO: move this failover peer declaration to a separate file and include it. {% if dhcp_failover is defined %} include "/etc/dhcp/dhcp-failover.conf"; {% endif %} @@ -38,6 +33,8 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.ap }}.0.250; option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; + + option domain-name-servers 10.{{ subnet_ids.ap }}.0.253, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -51,6 +48,9 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wired }}.0.240; option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.253, {{ upstream_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; deny unknown-clients; @@ -65,6 +65,9 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option routers 10.{{ subnet_ids.users_wifi }}.0.240; option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; + + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.253, {{ upstream_dns_servers|join(', ') }}; + include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; pool { @@ -76,4 +79,3 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { } } - From 1777d0e154f09e754710c583cdf7437d3c8f8430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:42:31 +0200 Subject: [PATCH 2/8] unbound: log to /var/log/unbound.log, errors only --- roles/unbound/templates/recursive.conf.j2 | 7 +++++++ roles/unbound/templates/unbound.conf.j2 | 2 ++ 2 files changed, 9 insertions(+) diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index f650b6c..f5f7f69 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -1,7 +1,14 @@ +# {{ ansible_managed }} + server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes + logfile: /var/log/unbound.log + + # Only log errors. + verbosity: 0 + do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 index b2d7672..ee9a1cf 100644 --- a/roles/unbound/templates/unbound.conf.j2 +++ b/roles/unbound/templates/unbound.conf.j2 @@ -1,3 +1,5 @@ +# {{ ansible_managed }} +# # Unbound configuration file for Debian. # # See the unbound.conf(5) man page. From bfc7d542df8d82ed922371cfc80c3bd9d051f2d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 15:43:39 +0200 Subject: [PATCH 3/8] hosts: add all DNS VMs from fleming and pacaterie --- hosts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hosts b/hosts index 8bdbb48..e731c4c 100644 --- a/hosts +++ b/hosts @@ -158,9 +158,9 @@ dhcp-fleming-backup.adm.auro.re [recursive_dns] dns-fleming.adm.auro.re -#dns-fleming-backup.adm.auro.re -#dns-pacaterie.adm.auro.re -#dns-pacaterie-backup.adm.auro.re +dns-fleming-backup.adm.auro.re +dns-pacaterie.adm.auro.re +dns-pacaterie-backup.adm.auro.re #dns-edc.adm.auro.re #dns-gs.adm.auro.re From 22166bc69bef0f0ba9eb5c8623ba6e178053a4dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:23:57 +0200 Subject: [PATCH 4/8] unbound: log to journalctl --- group_vars/all/vars.yml | 2 +- hosts | 2 +- roles/unbound/tasks/main.yml | 1 - roles/unbound/templates/recursive.conf.j2 | 6 ++++-- 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 0cb89fc..153e4f5 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -49,4 +49,4 @@ upstream_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "1.1.1.1" # Cloudflare - +unbound_log_file: "/var/log/unbound.log" diff --git a/hosts b/hosts index e731c4c..0fc686d 100644 --- a/hosts +++ b/hosts @@ -150,7 +150,7 @@ gs_pve [dhcp] #dhcp-fleming.adm.auro.re -dhcp-fleming-backup.adm.auro.re +#dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 6358173..4dfaa59 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -18,7 +18,6 @@ dest: /etc/unbound/unbound.conf.d/recursive.conf mode: 0644 - - name: restart unbound after editing config systemd: state: restarted diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 index f5f7f69..ebfd445 100644 --- a/roles/unbound/templates/recursive.conf.j2 +++ b/roles/unbound/templates/recursive.conf.j2 @@ -4,11 +4,13 @@ server: # Timestamps use UTC ASCII instead of UNIX epoch. log-time-ascii: yes - logfile: /var/log/unbound.log - # Only log errors. verbosity: 0 + # "" sends logs to stderr, journalctl will pick things up. + logfile: "" + + do-ip4: yes # FIXME: IPv6 deployment... someday... do-ip6: no From b57fa6e356b529568151f6b1a70dbd2928e4eb67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:51:37 +0200 Subject: [PATCH 5/8] dhcp: use backup DNS servers too --- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 47da1d9..4c352ea 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -34,7 +34,7 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; - option domain-name-servers 10.{{ subnet_ids.ap }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -49,7 +49,7 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; @@ -66,7 +66,7 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.253, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list"; From a0651d770378f02dcfd1776b522a96f5de7958ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:52:13 +0200 Subject: [PATCH 6/8] unbound: bind to the right addresses on backup hosts --- group_vars/all/vars.yml | 4 ++-- hosts | 13 +++++++++++-- roles/unbound/tasks/main.yml | 10 ++++++++++ 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 153e4f5..5c438a9 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -43,10 +43,10 @@ matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" # Dernier octet (en décimal) de l'addresse des serveurs DNS récursifs de chaque # résidence. -dns_host_suffix: 253 +dns_host_suffix_main: 253 +dns_host_suffix_backup: 153 upstream_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - "1.1.1.1" # Cloudflare -unbound_log_file: "/var/log/unbound.log" diff --git a/hosts b/hosts index 0fc686d..9ec7bef 100644 --- a/hosts +++ b/hosts @@ -156,11 +156,20 @@ gs_pve #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[recursive_dns] +[recursive_dns:children] +rdns_main +rdns_backup + +[rdns_main] dns-fleming.adm.auro.re -dns-fleming-backup.adm.auro.re dns-pacaterie.adm.auro.re + +[rdns_backup] +dns-fleming-backup.adm.auro.re dns-pacaterie-backup.adm.auro.re + + +# FIXME: #dns-edc.adm.auro.re #dns-gs.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml index 4dfaa59..18f99ce 100644 --- a/roles/unbound/tasks/main.yml +++ b/roles/unbound/tasks/main.yml @@ -1,5 +1,15 @@ --- +# This is used to let unbound bind to the right IP addresses. +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_main }}" + when: "'rdns_main' in group_names" + +- set_fact: + dns_host_suffix: "{{ dns_host_suffix_backup }}" + when: "'rdns_backup' in group_names" + + - name: install unbound apt: update_cache: true From 12022389c4523e875fb571790d420a8e9103bcf2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 16:57:18 +0200 Subject: [PATCH 7/8] hosts: enable dhcp deployment on fleming --- hosts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosts b/hosts index 9ec7bef..f1ac5fd 100644 --- a/hosts +++ b/hosts @@ -149,8 +149,8 @@ edc_pve gs_pve [dhcp] -#dhcp-fleming.adm.auro.re -#dhcp-fleming-backup.adm.auro.re +dhcp-fleming.adm.auro.re +dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re From 662452065fd0168c7afad42a49f991970507707d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Sat, 18 Apr 2020 17:06:38 +0200 Subject: [PATCH 8/8] dhcp: remove Cloudflare from backup DNS and rename variable, since these are not technically upstream DNS servers (unbound will ask the root servers, not these) --- group_vars/all/vars.yml | 3 +-- roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 | 6 +++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5c438a9..be601da 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -46,7 +46,6 @@ matrix_discord_bot_token: "{{ vault_matrix_discord_bot_token }}" dns_host_suffix_main: 253 dns_host_suffix_backup: 153 -upstream_dns_servers: +backup_dns_servers: - "80.67.169.12" # French Data Network (FDN) (ns0.fdn.fr) - - "1.1.1.1" # Cloudflare diff --git a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 index 4c352ea..f0a35fe 100644 --- a/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 +++ b/roles/isc-dhcp-server/templates/dhcp/dhcpd.conf.j2 @@ -34,7 +34,7 @@ subnet 10.{{ subnet_ids.ap }}.0.0 netmask 255.255.0.0 { option domain-name "borne.auro.re"; option domain-search "borne.auro.re"; - option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.borne.auro.re.list"; deny unknown-clients; @@ -49,7 +49,7 @@ subnet 10.{{ subnet_ids.users_wired }}.0.0 netmask 255.255.0.0 { option domain-name "fil.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.fil.{{ apartment_block }}.auro.re.list"; @@ -66,7 +66,7 @@ subnet 10.{{ subnet_ids.users_wifi }}.0.0 netmask 255.255.0.0 { option domain-name "wifi.{{ apartment_block }}.auro.re"; option domain-search "auro.re"; - option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ upstream_dns_servers|join(', ') }}; + option domain-name-servers 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_main }}, 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix_backup }}, {{ backup_dns_servers|join(', ') }}; include "/var/local/re2o-services/dhcp/generated/dhcp.wifi.{{ apartment_block }}.auro.re.list";