move to new module setup #2
17 changed files with 379 additions and 47 deletions
42
hermes.yml
Normal file
42
hermes.yml
Normal file
|
@ -0,0 +1,42 @@
|
|||
---
|
||||
- hosts: all
|
||||
gather_facts: no
|
||||
|
||||
pre_tasks:
|
||||
- name: Wait for host to come up
|
||||
wait_for:
|
||||
state: started
|
||||
port: 22
|
||||
host: "192.168.30.7"
|
||||
timeout: 300
|
||||
connect_timeout: 300
|
||||
search_regex: OpenSSH
|
||||
delegate_to: localhost
|
||||
- name: Wait for cloud-init to finish
|
||||
command:
|
||||
cmd: cloud-init status --wait
|
||||
register: cloudinit
|
||||
changed_when: "'..' in cloudinit.stdout"
|
||||
- name: Gather facts
|
||||
setup:
|
||||
- name: Copy resolv.conf
|
||||
copy:
|
||||
src: resolv.conf
|
||||
dest: /etc/resolv.conf
|
||||
- name: Update repositories
|
||||
apt:
|
||||
autoremove: true
|
||||
upgrade: yes
|
||||
state: latest
|
||||
update_cache: yes
|
||||
cache_valid_time: 86400 # One day
|
||||
- name: Install packages
|
||||
apt:
|
||||
pkg:
|
||||
- qemu-guest-agent
|
||||
- dnsutils
|
||||
|
||||
roles:
|
||||
- dnsmasq
|
||||
- nsd
|
||||
- ssh
|
104
main.tf
104
main.tf
|
@ -1,6 +1,7 @@
|
|||
terraform {
|
||||
backend "pg" {
|
||||
schema_name = "dmz_dns"
|
||||
conn_str = "postgres://terraform@10.42.0.1/terraform_state"
|
||||
}
|
||||
|
||||
required_providers {
|
||||
|
@ -14,54 +15,63 @@ terraform {
|
|||
}
|
||||
|
||||
provider "libvirt" {
|
||||
uri = var.libvirt_endpoint
|
||||
uri = "qemu+ssh://root@atlas.lan/system"
|
||||
}
|
||||
|
||||
resource "libvirt_volume" "main_disk" {
|
||||
name = "${var.name}.iso"
|
||||
pool = "disk"
|
||||
size = 1024 * 1024 * 1024 * 15
|
||||
base_volume_name = "debian-bookworm.qcow2"
|
||||
base_volume_pool = "iso"
|
||||
}
|
||||
|
||||
resource "libvirt_cloudinit_disk" "cloudinit" {
|
||||
name = "${var.name}.iso"
|
||||
pool = "init"
|
||||
user_data = templatefile("cloud_init.cfg.tftpl", { name = var.name, admin_authorized_keys = var.admin_authorized_keys })
|
||||
network_config = templatefile("network_config.cfg.tftpl", { internal_ip = var.internal_ip })
|
||||
}
|
||||
|
||||
resource "libvirt_domain" "ubuntu" {
|
||||
name = var.name
|
||||
memory = 1024
|
||||
vcpu = 4
|
||||
autostart = true
|
||||
|
||||
disk {
|
||||
volume_id = libvirt_volume.main_disk.id
|
||||
}
|
||||
|
||||
network_interface {
|
||||
bridge = "dmzbr"
|
||||
hostname = var.name
|
||||
module "vm" {
|
||||
source = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
|
||||
name = "hermes"
|
||||
use_host_cert = false
|
||||
fixed_address = "192.168.30.7/24"
|
||||
ansible_command = "ANSIBLE_ROLES_PATH=roles ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -u root -i '192.168.30.7,' hermes.yml"
|
||||
mac = "CA:FE:C0:FF:EE:07"
|
||||
}
|
||||
|
||||
cloudinit = libvirt_cloudinit_disk.cloudinit.id
|
||||
|
||||
provisioner "local-exec" {
|
||||
command = "ansible-playbook -e internal_ip=${var.internal_ip} -T 60 -u root -i ${var.ansible_inventory} ${var.ansible_playbook}"
|
||||
|
||||
environment = {
|
||||
ANSIBLE_HOST_KEY_CHECKING = "False"
|
||||
ANSIBLE_CONFIG = "${var.ansible_cfg}"
|
||||
}
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
replace_triggered_by = [
|
||||
libvirt_cloudinit_disk.cloudinit.id
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
# resource "libvirt_volume" "main_disk" {
|
||||
# name = "${var.name}.iso"
|
||||
# pool = "disk"
|
||||
# size = 1024 * 1024 * 1024 * 15
|
||||
# base_volume_name = "debian-bookworm.qcow2"
|
||||
# base_volume_pool = "iso"
|
||||
# }
|
||||
#
|
||||
# resource "libvirt_cloudinit_disk" "cloudinit" {
|
||||
# name = "${var.name}.iso"
|
||||
# pool = "init"
|
||||
# user_data = templatefile("cloud_init.cfg.tftpl", { name = var.name, admin_authorized_keys = var.admin_authorized_keys })
|
||||
# network_config = templatefile("network_config.cfg.tftpl", { internal_ip = var.internal_ip })
|
||||
# }
|
||||
#
|
||||
# resource "libvirt_domain" "ubuntu" {
|
||||
# name = var.name
|
||||
# memory = 1024
|
||||
# vcpu = 4
|
||||
# autostart = true
|
||||
#
|
||||
# disk {
|
||||
# volume_id = libvirt_volume.main_disk.id
|
||||
# }
|
||||
#
|
||||
# network_interface {
|
||||
# bridge = "dmzbr"
|
||||
# hostname = var.name
|
||||
# mac = "CA:FE:C0:FF:EE:07"
|
||||
# }
|
||||
#
|
||||
# cloudinit = libvirt_cloudinit_disk.cloudinit.id
|
||||
#
|
||||
# provisioner "local-exec" {
|
||||
# command = "ansible-playbook -e internal_ip=${var.internal_ip} -T 60 -u root -i ${var.ansible_inventory} ${var.ansible_playbook}"
|
||||
#
|
||||
# environment = {
|
||||
# ANSIBLE_HOST_KEY_CHECKING = "False"
|
||||
# ANSIBLE_CONFIG = "${var.ansible_cfg}"
|
||||
# }
|
||||
# }
|
||||
#
|
||||
# lifecycle {
|
||||
# replace_triggered_by = [
|
||||
# libvirt_cloudinit_disk.cloudinit.id
|
||||
# ]
|
||||
# }
|
||||
# }
|
||||
|
|
1
resolv.conf
Normal file
1
resolv.conf
Normal file
|
@ -0,0 +1 @@
|
|||
nameserver 192.168.30.1
|
44
roles/dnsmasq/files/dnsmasq.conf
Normal file
44
roles/dnsmasq/files/dnsmasq.conf
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Disable /etc/resolv.conf
|
||||
no-resolv
|
||||
# Upstream DNS server
|
||||
server=192.168.30.1
|
||||
# Always serve .dmz locally
|
||||
local=/dmz/
|
||||
# Put all clients in the dmz domain
|
||||
dhcp-fqdn
|
||||
# Don't read /etc/hosts
|
||||
no-hosts
|
||||
# Domain is automatically added to if missing
|
||||
expand-hosts
|
||||
# Domain that is used for DHCP on this network
|
||||
domain=dmz
|
||||
# IPv4 DHCP range
|
||||
dhcp-range=192.168.30.100,192.168.30.200,15m
|
||||
# Predefined DHCP hosts
|
||||
dhcp-host=b8:27:eb:b9:ab:e2,esrom
|
||||
dhcp-host=b4:2e:99:77:1b:da,max,192.168.30.3
|
||||
dhcp-host=d8:5e:d3:47:33:6e,lewis
|
||||
# Advertise router
|
||||
dhcp-option=3,192.168.30.1
|
||||
# Always send the IPv6 DNS server address (this machine)
|
||||
dhcp-option=option6:dns-server,[2a02:58:19a:f730::1]
|
||||
# Advertise SLAAC for the given prefix
|
||||
dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names
|
||||
# Do not advertise default gateway via DHCPv6
|
||||
ra-param=*,0,0
|
||||
# Alias public IP address to local
|
||||
alias=84.245.14.149,192.168.30.3
|
||||
# Override DNS servers for our domains
|
||||
server=/pizzapim.nl/192.168.30.7
|
||||
server=/geokunis2.nl/192.168.30.7
|
||||
server=/pim.kunis.nl/192.168.30.7
|
||||
# Enable extended logging
|
||||
log-dhcp
|
||||
log-queries
|
||||
# Resolve dns.dmz to addresses on main NIC
|
||||
interface-name=hermes.dmz,ens3
|
||||
# Non-conventional port because we also run nsd on this machine
|
||||
port=5353
|
||||
# Override addresses of name servers
|
||||
address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7
|
||||
address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07
|
18
roles/dnsmasq/tasks/main.yml
Normal file
18
roles/dnsmasq/tasks/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
- name: Install dnsmasq
|
||||
apt:
|
||||
name: dnsmasq
|
||||
- name: Disable systemd-resolved
|
||||
systemd:
|
||||
name: systemd-resolved
|
||||
enabled: false
|
||||
state: stopped
|
||||
- name: Copy dnsmasq configuration
|
||||
copy:
|
||||
src: "{{ role_path }}/files/dnsmasq.conf"
|
||||
dest: "/etc/dnsmasq.conf"
|
||||
register: config
|
||||
- name: Enable dnsmasq
|
||||
systemd:
|
||||
name: dnsmasq
|
||||
enabled: true
|
||||
state: "{{ 'restarted' if config.changed else 'started' }}"
|
26
roles/nsd/files/nsd.conf
Normal file
26
roles/nsd/files/nsd.conf
Normal file
|
@ -0,0 +1,26 @@
|
|||
server:
|
||||
ip-address: ens3
|
||||
port: 53
|
||||
server-count: 1
|
||||
verbosity: 1
|
||||
hide-version: yes
|
||||
zonesdir: "/etc/nsd/zones"
|
||||
ip-transparent: yes
|
||||
ip-freebind: yes
|
||||
|
||||
zone:
|
||||
name: pim.kunis.nl
|
||||
zonefile: pim.kunis.nl
|
||||
|
||||
zone:
|
||||
name: pizzapim.nl
|
||||
zonefile: pizzapim.nl
|
||||
provide-xfr: 87.253.155.96/27 NOKEY
|
||||
provide-xfr: 157.97.168.160/27 NOKEY
|
||||
|
||||
|
||||
zone:
|
||||
name: geokunis2.nl
|
||||
zonefile: geokunis2.nl
|
||||
provide-xfr: 87.253.155.96/27 NOKEY
|
||||
provide-xfr: 157.97.168.160/27 NOKEY
|
28
roles/nsd/files/zones/geokunis2.nl
Normal file
28
roles/nsd/files/zones/geokunis2.nl
Normal file
|
@ -0,0 +1,28 @@
|
|||
$ORIGIN geokunis2.nl.
|
||||
$TTL 60
|
||||
|
||||
geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2023031700 1800 3600 1209600 3600
|
||||
NS ns.geokunis2.nl.
|
||||
NS ns0.transip.net.
|
||||
NS ns1.transip.nl.
|
||||
NS ns2.transip.eu.
|
||||
A 84.245.14.149
|
||||
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
|
||||
; MX 0 .
|
||||
; TXT "v=spf1 -all"
|
||||
CAA 0 issue "letsencrypt.org"
|
||||
mail IN A 84.245.14.149
|
||||
MX 10 mail.geokunis2.nl
|
||||
jenl IN A 217.123.41.225
|
||||
wg IN A 84.245.14.149
|
||||
wg IN AAAA 2a02:58:1:e::1afb
|
||||
wg4 IN A 84.245.14.149
|
||||
wg6 IN AAAA 2a02:58:1:e::1afb
|
||||
kms IN A 84.245.14.149
|
||||
files IN A 84.245.14.149
|
||||
files IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
|
||||
_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
|
||||
ns A 84.245.14.149
|
||||
AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07
|
||||
cyberchef IN A 84.245.14.149
|
||||
AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07
|
22
roles/nsd/files/zones/pim.kunis.nl
Normal file
22
roles/nsd/files/zones/pim.kunis.nl
Normal file
|
@ -0,0 +1,22 @@
|
|||
$ORIGIN pim.kunis.nl.
|
||||
$TTL 60
|
||||
|
||||
pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023031700 1800 3600 1209600 3600
|
||||
|
||||
NS ns.pim.kunis.nl.
|
||||
A 84.245.14.149
|
||||
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
|
||||
TXT "v=spf1 ~all"
|
||||
|
||||
_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
|
||||
|
||||
www IN A 84.245.14.149
|
||||
IN AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
|
||||
ns IN A 84.245.14.149
|
||||
IN AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07
|
||||
|
||||
social IN CNAME www.pim.kunis.nl.
|
||||
dav IN CNAME www.pim.kunis.nl.
|
||||
git IN CNAME www.pim.kunis.nl.
|
||||
meet IN CNAME www.pim.kunis.nl.
|
||||
rss IN CNAME www.pim.kunis.nl.
|
19
roles/nsd/files/zones/pizzapim.nl
Normal file
19
roles/nsd/files/zones/pizzapim.nl
Normal file
|
@ -0,0 +1,19 @@
|
|||
$ORIGIN pizzapim.nl.
|
||||
$TTL 60
|
||||
|
||||
pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023031700 1800 3600 1209600 3600
|
||||
|
||||
NS ns.pizzapim.nl.
|
||||
NS ns0.transip.net.
|
||||
NS ns1.transip.nl.
|
||||
NS ns2.transip.eu.
|
||||
A 84.245.14.149
|
||||
TXT "v=spf1 ~all"
|
||||
CAA 0 issue "letsencrypt.org"
|
||||
|
||||
_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
|
||||
|
||||
social IN A 84.245.14.149
|
||||
AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
|
||||
ns IN A 84.245.14.149
|
||||
AAAA 2a02:58:19a:f730:c8fe:c0ff:feff:ee07
|
18
roles/nsd/tasks/main.yml
Normal file
18
roles/nsd/tasks/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
- name: Install nsd
|
||||
apt:
|
||||
name: nsd
|
||||
- name: Copy nsd.conf
|
||||
copy:
|
||||
src: "{{ role_path }}/files/nsd.conf"
|
||||
dest: /etc/nsd/nsd.conf
|
||||
register: config
|
||||
- name: Copy zone directory
|
||||
copy:
|
||||
src: "{{ role_path }}/files/zones"
|
||||
dest: /etc/nsd
|
||||
register: zones
|
||||
- name: Enable nsd
|
||||
systemd:
|
||||
name: nsd
|
||||
enabled: true
|
||||
state: "{{ 'restarted' if config.changed or zones.changed else 'started' }}"
|
29
roles/ssh/files/ca.sh
Executable file
29
roles/ssh/files/ca.sh
Executable file
|
@ -0,0 +1,29 @@
|
|||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
IFS=$'\n\t'
|
||||
|
||||
HOSTCAKEY=/root/.ssh/host_ca_key
|
||||
USERCAKEY=/root/.ssh/user_ca_key
|
||||
|
||||
host() {
|
||||
PUBKEY="$2"
|
||||
HOST="$3"
|
||||
|
||||
echo "$PUBKEY" > /tmp/"$HOST".pub
|
||||
ssh-keygen -h -s "$HOSTCAKEY" -I "$HOST" -n "$HOST" /tmp/"$HOST".pub
|
||||
cat /tmp/"$HOST"-cert.pub
|
||||
rm /tmp/"$HOST"*.pub
|
||||
}
|
||||
|
||||
user() {
|
||||
PUBKEY="$2"
|
||||
HOST="$3"
|
||||
PRINCIPALS="$4"
|
||||
|
||||
echo "$PUBKEY" > /tmp/"$HOST".pub
|
||||
ssh-keygen -s "$USERCAKEY" -I "$HOST" -n "$HOST","$PRINCIPALS" /tmp/"$HOST".pub
|
||||
cat /tmp/"$HOST"-cert.pub
|
||||
rm /tmp/"$HOST"*.pub
|
||||
}
|
||||
|
||||
"$1" "$@"
|
27
roles/ssh/files/keys/host_ca_key
Normal file
27
roles/ssh/files/keys/host_ca_key
Normal file
|
@ -0,0 +1,27 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
65393830356161326338323139306466316362303835393833383633363431303639393835666538
|
||||
6639653036666261363236393832343236656531633261360a333664363033356432386439336630
|
||||
65336333666662633635316565363366353530653831383937616566386165346663393938386530
|
||||
3233613134343331350a363163383831396265646333336334366664353164386538313031393230
|
||||
61356239333863366665396131633039663161306536386636336631646238303164303565653331
|
||||
64353465633235396261333739643635306530333665313330633936643966363539646636376630
|
||||
32303233303437393662393161313330333331396666613133633964393335393035363536373464
|
||||
36323334393235626561333262373639353332663337393562356562656662373833633833636466
|
||||
65373739663764623962323630623866363563626536313436346532643332646238393237396439
|
||||
35623961336266333037636532663833653466346264326330616135346234643363636662396630
|
||||
30613132633237333633636361323937643338323738386231383561613237646436333336383562
|
||||
61316232393864316236616561333139626463373962303134366131653439656638636365633930
|
||||
33353565373066623763346139663238346237376461613834323839336533653936646532316437
|
||||
66303565346665303335656233663735333630643963656637363934626336323361356639616430
|
||||
32323133396165356237613062313864313534323364663232636566373332633461316461346435
|
||||
32663862353439653764616461646463336639646636333862663832656131356536666233396638
|
||||
63613439636432306164393737353033383661623733646231313238303863376362376334656262
|
||||
33336132373139333030333533633032353564336666663237333135376532396165653831663537
|
||||
32653836373034383965653431646137633638633465626164386638323466636238393665303964
|
||||
35366432643962613063326338373031393036643437663438356339386662303362333062343730
|
||||
65646535373833343831633164666563616561633833353739643963633265396561386462336234
|
||||
66323330363662653235333464623965653635323437613734366231386331363461643262366565
|
||||
37626536623832323162363862363632666164353138616362386562393530623265303936656364
|
||||
65633463363935393838333338303239333538393865653338396635393262623636616364323133
|
||||
66333165616364356235303431316232666330313933386331383435663939386331626635316537
|
||||
3964323534326563303636616135663137373365663365663931
|
1
roles/ssh/files/keys/host_ca_key.pub
Normal file
1
roles/ssh/files/keys/host_ca_key.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAX2IhgHNxC6JTvLu9cej+iWuG+uJFMXn4AiRro9533x Host Certficate Authority for DMZ
|
27
roles/ssh/files/keys/user_ca_key
Normal file
27
roles/ssh/files/keys/user_ca_key
Normal file
|
@ -0,0 +1,27 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
36306261333262396466633565653163323239396630653031343331653337376433356461613064
|
||||
3333316136343033396131356638666661623464333333310a636264616339363366386633663965
|
||||
64336437316366333363396162376337653537376365306638316166663437643731613935353137
|
||||
6138306232396134310a373962653330613331653830343766613435363339343438636665306633
|
||||
39633061303937313962323839336437653763336164616433353831646663393764373933306565
|
||||
38633335373863363437313531393530333562336430636261656564306563343537313264366436
|
||||
32653932356263333938386231333134303633333666343531616332376632343462316335643732
|
||||
30386465626533363333626162386331626436373935386537393335666437633166303838663264
|
||||
61353532306161343630303233336463376266366463313039343262656333663936333338373633
|
||||
31353361356232356637333466316634623739323335613433356362333565646138373838663034
|
||||
39363734623537633133393836323261353461623562386235646566303162373235623534383238
|
||||
33363264386438393563613639333336323963363733346665663430626335346334386233396236
|
||||
34636164653264386266393561303037646464646136313861343438636437626166333361613262
|
||||
66333333303139653639383963373731613639643837363639353264376230616264313930396434
|
||||
39303863653939613333323739363263383531333539333334306632323865646131653030356365
|
||||
38363530656131646431616661616137386161613033643664336661343531333933326339656636
|
||||
61356337393936623462323039343534656565353466353565653838666336306266313131316435
|
||||
39333739313262646462663531663234633066333033666461306434313166366533353865313530
|
||||
31326334383138383332366665383965633838636436646230323931646136336234636631313138
|
||||
33363062393632393830383231333166373032386163316633613061643166663266396131333838
|
||||
30316439373834356230633566323966376336363362346338323237343637393765323237373832
|
||||
61626432653935663230663261343037363037646539623330383235376231303738323132306131
|
||||
33646237633164356332366664353763623839623738633230613837356330393535346236383165
|
||||
35376631313332356164636336336439386432326337663436373661613264306135313961623434
|
||||
37386335663332613435626233333037316466363730623065633336666436343433326564333264
|
||||
6231373332643633346235663930616439653238396331626564
|
1
roles/ssh/files/keys/user_ca_key.pub
Normal file
1
roles/ssh/files/keys/user_ca_key.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKOClnK6/Hj8INjEgULY/lD2FM/nbiJHqaSXtEw4+Fj User Certificate Authority for DMZ
|
10
roles/ssh/tasks/main.yml
Normal file
10
roles/ssh/tasks/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
- name: Copy ca.sh
|
||||
copy:
|
||||
src: "{{ role_path }}/files/ca.sh"
|
||||
dest: /root/ca.sh
|
||||
mode: 755
|
||||
- name: Copy keys
|
||||
copy:
|
||||
src: "{{ role_path }}/files/keys/"
|
||||
dest: /root/.ssh/
|
||||
mode: preserve
|
9
util/secret-service-client.sh
Executable file
9
util/secret-service-client.sh
Executable file
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
pass=`secret-tool lookup ansible_vault hermes`
|
||||
retval=$?
|
||||
|
||||
if [ $retval -ne 0 ]; then
|
||||
read -s pass
|
||||
fi
|
||||
echo $pass
|
Reference in a new issue