init

.gitignore

@@ -0,0 +1,36 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+.terraform.lock.hcl
+*.tfbackend

README.md

@@ -0,0 +1,15 @@
+# dmz-dns-vm
+
+Provisions a VM using libvirt which acts as the DNS server on our DMZ network.
+
+The VMs on our DMZ might like to contact eachother.
+For example, one VM wants to clone a repository from the git server.
+However, because our home network is NATed, a DNS lookup of these servers will result in our public IP address.
+This will in general not work, because the public IP address is only assigned on the WAN port of the router.
+
+One solution is to overwrite DNS requests from the DMZ to the router if they query these VMs.
+However, then the router needs to operate on the DMZ vlan, which is not ideal in terms of security.
+
+This solution creates a seperate VM on the DMZ that acts as the DNS server.
+Dnsmasq checks whether a request is made for a DMZ server and forwards this to an NSD server.
+This NSD server pretends to be authoritative for these requests and returns their DMZ internal IP addresses.

cloud_init.cfg.tftpl

@@ -0,0 +1,15 @@
+#cloud-config
+hostname: ${name}
+manage_etc_hosts: true
+ssh_pwauth: false
+disable_root: false
+ssh_authorized_keys:
+  - "${host_public_key}"
+chpasswd:
+  list: |
+    root:root
+  expire: False
+packages:
+  - qemu-guest-agent
+ansible:
+  install_method: pip

main.tf

@@ -0,0 +1,52 @@
+terraform {
+  backend "pg" {
+    schema_name = "dmz_dns"
+  }
+
+  required_providers {
+    libvirt = {
+      source = "dmacvicar/libvirt"
+    }
+    template = {
+      source = "hashicorp/template"
+    }
+  }
+}
+
+provider "libvirt" {
+  uri = var.libvirt_endpoint
+}
+
+resource "libvirt_volume" "main_disk" {
+  name             = "${var.name}.iso"
+  pool             = "disk"
+  size             = 1024 * 1024 * 1024 * 15
+  base_volume_name = "debian-bookworm.qcow2"
+  base_volume_pool = "iso"
+}
+
+resource "libvirt_cloudinit_disk" "cloudinit" {
+  name           = "${var.name}.iso"
+  pool           = "init"
+  user_data      = templatefile("cloud_init.cfg.tftpl", { name = var.name, host_public_key = var.host_public_key })
+  network_config = templatefile("network_config.cfg.tftpl", {})
+}
+
+resource "libvirt_domain" "ubuntu" {
+  name   = var.name
+  memory = 1024
+  vcpu   = 4
+
+  disk {
+    volume_id = libvirt_volume.main_disk.id
+  }
+
+  network_interface {
+    network_name = "dmzbr"
+    hostname     = var.name
+    addresses    = ["192.168.30.7/24"]
+    mac          = "ca:fe:c0:ff:ee:07"
+  }
+
+  cloudinit = libvirt_cloudinit_disk.cloudinit.id
+}

network_config.cfg.tftpl

@@ -0,0 +1,9 @@
+version: 2
+ethernets:
+  ens3:
+    dhcp4: false
+    addresses:
+      - "192.168.30.7/24"
+    routes:
+      - to: 0.0.0.0/0
+        via: 192.168.30.1

variables.tf

@@ -0,0 +1,13 @@
+variable "name" {
+  default = "dmzdns"
+}
+
+variable "libvirt_endpoint" {
+  type = string
+  default = "qemu+ssh://root@debian.lan/system"
+}
+
+variable "host_public_key" {
+  type = string
+  default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim"
+}