Add Public DNS resolver to ffac

host_vars/dns01.yml

@@ -0,0 +1,22 @@
+---
+servername: dns01
+
+# cloud-init config
+networkd_configures:
+  - iface: eth0
+    addresses:
+      - 5.145.135.158/27
+      - 2a00:fe0:43::158/64
+    gateway4: 5.145.135.129
+    gateway6: 2a00:fe0:43::1
+    dns_server:
+      - 9.9.9.9
+      - '2a03:2260:3006::53'
+
+dns_v4_listen_addrs:
+  - 127.0.0.1
+  - 5.145.135.158
+
+dns_v6_listen_addrs:
+  - '::1'
+  - '2a00:fe0:43::158'

inventory

@@ -26,6 +26,9 @@ all:
     bgp-test:
       ansible_host: 2a00:fe0:43::157
       ansible_user: ffac
+    dns01:
+      ansible_host: 5.145.135.158
+      ansible_user: ffac
 
 supernodes:
   hosts:
@@ -46,3 +49,7 @@ backbone:
     bb-b:
   children:
     bgp_clients:
+
+dns:
+  hosts:
+    dns01:

playbooks/dns.yml

@@ -0,0 +1,18 @@
+---
+
+- hosts: "dns"
+  pre_tasks:
+    - name: "Import pre_tasks: reboot-required.yml"
+      import_tasks: "include/reboot-required.yml"
+      tags: [always]
+    - name: "Import pre_task etckeeper"
+      import_tasks: "include/etckeeper_pre.yml"
+      tags: [always]
+  roles:
+    # General
+    - { name: ff.networkd, tags: networkd, become: true }
+    - { name: ff.bind, tags: bind, become: true}
+  post_tasks:
+    - name: "Import post_task etckeeper"
+      import_tasks: "include/etckeeper_post.yml"
+      tags: [always]

playbooks/roles/ff.bind/tasks/main.yml

@@ -0,0 +1,124 @@
+---
+
+- name: Install bind9 and bind9-dnsutils
+  apt:
+    update_cache: yes
+    name: "{{ packages }}"
+  vars:
+    packages:
+    - bind9
+    - bind9-dnsutils
+
+- name: Install named.conf
+  template:
+    src: named.conf
+    dest: /etc/bind/named.conf
+  register: bind9options
+
+- name: Install named.conf.options
+  template:
+    src: named.conf.options
+    dest: /etc/bind/named.conf.options
+  register: bind9options
+
+- name: Install named.conf.local
+  template:
+    src: named.conf.local
+    dest: /etc/bind/named.conf.local
+  register: bind9local
+
+- name: Install named.conf.zones
+  template:
+    src: named.conf.zones
+    dest: /etc/bind/named.conf.zones
+  register: bind9local
+
+- name: Install zone key
+  copy:
+    content: "{{ dns_zone_key }}"
+    dest: /etc/bind/rndc.key
+    mode: "0640"
+    owner: "bind"
+    group: "bind"
+
+- name: Ensure logging folder
+  file:
+    path: /var/log/named
+    state: directory
+    owner: "bind"
+    group: "bind"
+
+- name: enable bind9 service
+  systemd:
+    name: bind9.service
+    enabled: yes
+    state: started
+
+- name: update root.hints
+  get_url:
+    url: 'https://www.internic.net/domain/named.root'
+    dest: '/usr/share/dns/root.hints'
+    mode: 0644
+    backup: true
+
+- name: update root.hints.sig
+  get_url:
+    url: 'https://www.internic.net/domain/named.root.sig'
+    dest: '/usr/share/dns/root.hints.sig'
+    mode: 0644
+    backup: true
+
+- name: Create a directory ff-icvpn
+  ansible.builtin.file:
+    path: /opt/ff-icvpn
+    state: directory
+    mode: '0755'
+
+- name: Install ff-icvpn git-pull-hourly.sh
+  template:
+    src: git-pull-hourly.sh
+    dest: /opt/ff-icvpn/git-pull-hourly.sh
+    mode: '0777'
+
+- name: icvpn-cron
+  ansible.builtin.cron:
+    name: "icvpn update"
+    minute: "2"
+    job: "/opt/ff-icvpn/git-pull-hourly.sh"
+
+- name: icvpn-meta
+  ansible.builtin.git:
+    repo: 'https://github.com/freifunk/icvpn-meta'
+    dest: /opt/ff-icvpn/icvpn-meta
+    update: yes
+
+- name: icvpn-scripts
+  ansible.builtin.git:
+    repo: 'https://github.com/freifunk/icvpn-scripts'
+    dest: /opt/ff-icvpn/icvpn-scripts
+    update: yes
+
+- name: Install iptables.sh
+  template:
+    src: iptables.sh
+    dest: /usr/local/sbin/iptables.sh
+    mode: '0755'
+
+- name: Install iptables.sh.service
+  template:
+    src: iptables.sh.service
+    dest: /etc/systemd/system/iptables.sh.service
+    notify:
+      - reload systemctl
+
+- name: Enable iptables.sh.service
+  service:
+    name: iptables.sh.service
+    state: started
+    enabled: yes
+
+- name: reload bind9
+  raw: /usr/sbin/rndc reload
+  when: bind9options.changed or bind9local.changed
+
+

playbooks/roles/ff.bind/templates/git-pull-hourly.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+cd /opt/ff-icvpn/icvpn-meta && git pull -q
+cd /opt/ff-icvpn/icvpn-scripts && git pull -q
+
+# Update IC-VPN DNS-Delegation:
+cd /opt/ff-icvpn/icvpn-scripts
+#./mkdns -f bind-forward --filter=v4 -x aachen > /etc/bind/ICVPN.zones && rndc reload &>/dev/null
+./mkdns -f bind-forward -x aachen > /etc/bind/ICVPN.zones && rndc reload &>/dev/null

playbooks/roles/ff.bind/templates/iptables.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+iptables -F
+iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
+iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
+iptables -A INPUT -s 5.145.135.128/27 -j ACCEPT
+iptables -A INPUT -s 185.66.193.40/29 -j ACCEPT
+iptables -A INPUT -p udp --source-port 0:1024 --dport 53 -j DROP
+iptables -A INPUT -p tcp --source-port 0:1024 --dport 53 -j DROP
+iptables -A INPUT -p udp --dport 53 -j ACCEPT
+iptables -A INPUT -p tcp --dport 53 -j ACCEPT
+
+ip6tables -F
+ip6tables -A INPUT -s ::1/128 -j ACCEPT
+ip6tables -A INPUT -s fe80::/64 -j ACCEPT
+ip6tables -A INPUT -s fdac::/64 -j ACCEPT
+ip6tables -A INPUT -s fda0:747e:ab29:acac::/64 -j ACCEPT
+ip6tables -A INPUT -s 2a03:2260:114::/48 -j ACCEPT
+ip6tables -A INPUT -s 2a03:2260:3006::/48 -j ACCEPT
+ip6tables -A INPUT -s 2a03:2260:40:0::/64 -j ACCEPT
+ip6tables -A INPUT -s 2a00:fe0:43::/48 -j ACCEPT
+ip6tables -A INPUT -p udp --source-port 0:1024 --dport 53 -j DROP
+ip6tables -A INPUT -p tcp --source-port 0:1024 --dport 53 -j DROP
+ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
+ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT
+

playbooks/roles/ff.bind/templates/iptables.sh.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=iptables firewall service
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/sbin/iptables.sh
+
+[Install]
+WantedBy=multi-user.target
+

playbooks/roles/ff.bind/templates/named.conf

@@ -0,0 +1,11 @@
+// This is the primary configuration file for the BIND DNS server named.
+//
+// Please read /usr/share/doc/bind9/README.Debian for information on the
+// structure of BIND configuration files in Debian, *BEFORE* you customize
+// this configuration file.
+//
+// If you are just adding zones, please do that in /etc/bind/named.conf.local
+
+include "/etc/bind/named.conf.options";
+include "/etc/bind/named.conf.local";
+//include "/etc/bind/named.conf.default-zones";

playbooks/roles/ff.bind/templates/named.conf.local

@@ -0,0 +1,61 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+include "/etc/bind/rndc.key";
+
+// acl trusted {
+//	127.0.0.1;	# localhost;
+// };
+
+// controls {
+// 	inet * allow { trusted; } keys { "rndc-key"; };
+// };
+
+statistics-channels {
+	inet 127.0.0.1 port 8053 allow { 127.0.0.1/32; };
+//	inet xxx.xxx.xxx.xxx port 8053 allow { 192.168.9.0/24; };
+};
+
+// http://zytrax.xom/books/dns/ch7/logging.html
+logging {
+	channel named_log {
+		file "/var/log/named/named.log" versions 5 size 50M;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+
+	channel query_log {
+		file "/var/log/named/query.log" versions 5 size 50M;
+		print-time yes;
+		print-severity yes;
+		print-category yes;
+	};
+
+	category client			{ default_syslog; };
+	category config			{ default_syslog; };
+	category database		{ default_syslog; };
+	category default		{ named_log; };
+	category delegation-only	{ default_syslog; };
+	category dispatch		{ default_syslog; };
+	category dnssec			{ default_syslog; };
+	category general		{ default_syslog; };
+	category lame-servers		{ null; };
+	category network		{ default_syslog; };
+	category notify			{ default_syslog; };
+	category queries		{ query_log; };
+	category resolver		{ default_syslog; };
+	category security		{ default_syslog; };
+	category unmatched		{ default_syslog; };
+	category update			{ default_syslog; };
+	category update-security	{ default_syslog; };
+	category xfer-in		{ default_syslog; };
+	category xfer-out		{ default_syslog; };
+};
+
+