From b3712ed3354cef44c015b38c16aa6d2d7897ce77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Yoha=C3=AF-Eliel=20BERREBY?= Date: Mon, 13 Apr 2020 16:35:09 +0200 Subject: [PATCH] unbound: initial deployment --- group_vars/edc/ldap_local_replica.yml | 4 + group_vars/fleming/{dhcp.yml => main.yml} | 0 group_vars/pacaterie/{dhcp.yml => main.yml} | 0 hosts | 6 +- network.yml | 47 +++++------ roles/unbound/tasks/main.yml | 25 ++++++ roles/unbound/templates/recursive.conf.j2 | 89 +++++++++++++++++++++ roles/unbound/templates/unbound.conf.j2 | 10 +++ 8 files changed, 152 insertions(+), 29 deletions(-) create mode 100644 group_vars/edc/ldap_local_replica.yml rename group_vars/fleming/{dhcp.yml => main.yml} (100%) rename group_vars/pacaterie/{dhcp.yml => main.yml} (100%) create mode 100644 roles/unbound/tasks/main.yml create mode 100644 roles/unbound/templates/recursive.conf.j2 create mode 100644 roles/unbound/templates/unbound.conf.j2 diff --git a/group_vars/edc/ldap_local_replica.yml b/group_vars/edc/ldap_local_replica.yml new file mode 100644 index 0000000..bad6801 --- /dev/null +++ b/group_vars/edc/ldap_local_replica.yml @@ -0,0 +1,4 @@ +--- +ldap_local_replica_uri: + - 'ldap://ldap-replica-edc.adm.auro.re' + diff --git a/group_vars/fleming/dhcp.yml b/group_vars/fleming/main.yml similarity index 100% rename from group_vars/fleming/dhcp.yml rename to group_vars/fleming/main.yml diff --git a/group_vars/pacaterie/dhcp.yml b/group_vars/pacaterie/main.yml similarity index 100% rename from group_vars/pacaterie/dhcp.yml rename to group_vars/pacaterie/main.yml diff --git a/hosts b/hosts index c5561a3..8bdbb48 100644 --- a/hosts +++ b/hosts @@ -149,15 +149,15 @@ edc_pve gs_pve [dhcp] -dhcp-fleming.adm.auro.re +#dhcp-fleming.adm.auro.re dhcp-fleming-backup.adm.auro.re #dhcp-pacaterie.adm.auro.re #dhcp-pacaterie-backup.adm.auro.re #dhcp-edc.adm.auro.re #dhcp-gs.adm.auro.re -[dns] -#dns-fleming.adm.auro.re +[recursive_dns] +dns-fleming.adm.auro.re #dns-fleming-backup.adm.auro.re #dns-pacaterie.adm.auro.re #dns-pacaterie-backup.adm.auro.re diff --git a/network.yml b/network.yml index f402921..70c5641 100644 --- a/network.yml +++ b/network.yml @@ -1,20 +1,4 @@ --- -## Deploy DHCP -#- hosts: dhcp -# vars: -# service_repo: https://gitlab.federez.net/re2o/dhcp.git -# service_name: dhcp -# service_version: master -# service_config: -# hostname: re2o-server.adm.auro.re -# username: service-user -# password: "{{ vault_serviceuser_passwd }}" -# dhcp: -# authoritative: true -# roles: -# - re2o-service -# - isc-dhcp-server - # Set up DHCP servers. - hosts: dhcp vars: @@ -29,18 +13,29 @@ - re2o-service - isc-dhcp-server -# Deploy DNS -- hosts: dns + + +# Deploy unbound DNS server (recursive). +- hosts: recursive_dns vars: - service_repo: https://gitlab.crans.org/nounous/re2o-dns.git - service_name: dns - service_version: crans - service_config: - hostname: re2o-server.adm.auro.re - username: service-user - password: "{{ vault_serviceuser_passwd }}" + - dns_host_suffix: 253 roles: - - re2o-service + - unbound + + +# WIP: Deploy authoritative DNS servers +# - hosts: authoritative_dns +# vars: +# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git +# service_name: dns +# service_version: crans +# service_config: +# hostname: re2o-server.adm.auro.re +# username: service-user +# password: "{{ vault_serviceuser_passwd }}" +# roles: +# - re2o-service + # Deploy Unifi Controller #- hosts: unifi-fleming.adm.auro.re,unifi-pacaterie.adm.auro.re diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml new file mode 100644 index 0000000..6358173 --- /dev/null +++ b/roles/unbound/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +- name: install unbound + apt: + update_cache: true + name: unbound + state: present + +- name: setup main unbound config file + template: + src: unbound.conf.j2 + dest: /etc/unbound/unbound.conf + mode: 0644 + +- name: setup recursive DNS server config + template: + src: recursive.conf.j2 + dest: /etc/unbound/unbound.conf.d/recursive.conf + mode: 0644 + + +- name: restart unbound after editing config + systemd: + state: restarted + name: unbound diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2 new file mode 100644 index 0000000..1660ccb --- /dev/null +++ b/roles/unbound/templates/recursive.conf.j2 @@ -0,0 +1,89 @@ +server: + verbosity: 1 + use-syslog: yes + logfile: "/var/log/unbound.log" + log-time-ascii: yes + + # IP addresses on which to listen. + interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }} + interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }} + + + # By default, anything other than localhost is refused. + # Whitelist some subnets: + access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow + access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow + + do-ip4: yes + # FIXME: IPv6 deployment... someday... + do-ip6: no + + do-udp: yes + do-tcp: yes + + num-threads: {{ ansible_processor_vcpus }} + + # power of 2 close to num-threads + # TODO: compute this dynamically w/ Ansible + msg-cache-slabs: 16 + rrset-cache-slabs: 16 + infra-cache-slabs: 16 + key-cache-slabs: 16 + + # Read the root hints from this file + # FIXME: missing file. + # root-hints: "/var/lib/unbound/root.hints" + + harden-referral-path: yes + use-caps-for-id: yes + hide-identity: yes + hide-version: yes + harden-glue: yes + harden-dnssec-stripped: yes + + # the time to live (TTL) value lower bound, in seconds. Default 0. + # If more than an hour could easily give trouble due to stale data. + # WARNING : against protocol rule but efficient against stupidly too low TTLs + + cache-min-ttl: 3600 + + # the time to live (TTL) value cap for RRsets and messages in the + # cache. Items are not cached for longer. In seconds. + cache-max-ttl: 86400 + + prefetch: yes + + # If nonzero, unwanted replies are not only reported in statistics, but also + # a running total is kept per thread. If it reaches the threshold, a warning + # is printed and a defensive action is taken, the cache is cleared to flush + # potential poison out of it. A suggested value is 10000000, the default is + # 0 (turned off). We think 10K is a good value. + unwanted-reply-threshold: 10000 + + # Should additional section of secure message also be kept clean of unsecure + # data. Useful to shield the users of this validator from potential bogus + # data in the additional section. All unsigned data in the additional section + # is removed from secure messages. + val-clean-additional: yes + + # Log validation failures + val-log-level: 2 + + + private-address: 10.0.0.0/8 + + # Optimise + # https://unbound.net/documentation/howto_optimise.html + + # Faster UDP with multithreading (only on Linux). + so-reuseport: yes + + # Taille du cache + rrset-cache-size: 100m + msg-cache-size: 50m + + # gestion DNSSEC + harden-below-nxdomain: yes + harden-dnssec-stripped: yes diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2 new file mode 100644 index 0000000..b2d7672 --- /dev/null +++ b/roles/unbound/templates/unbound.conf.j2 @@ -0,0 +1,10 @@ +# Unbound configuration file for Debian. +# +# See the unbound.conf(5) man page. +# +# See /usr/share/doc/unbound/examples/unbound.conf for a commented +# reference config file. +# +# The following line includes additional configuration files from the +# /etc/unbound/unbound.conf.d directory. +include: "/etc/unbound/unbound.conf.d/*.conf"