update to nixos 23.11

enable static IP for terraformed VMs restructure legacy code move hermes code to this repo don't use data disk for hermes leases
2023-12-17 16:22:22 +01:00 · 2023-12-17 16:22:22 +01:00 · 721623c8fc
commit 721623c8fc
parent 04e9ce3abb
28 changed files with 402 additions and 80 deletions
--- a/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf
+++ b/legacy/projects/hermes/ansible/roles/dnsmasq/files/dnsmasq.conf
@ -0,0 +1,51 @@
+# Disable /etc/resolv.conf
+no-resolv
+# Upstream DNS server
+server=192.168.30.1
+# Always serve .dmz locally
+local=/dmz/
+# Put all clients in the dmz domain
+dhcp-fqdn
+# Don't read /etc/hosts
+no-hosts
+# Domain is automatically added to if missing
+expand-hosts
+# Domain that is used for DHCP on this network
+domain=dmz
+# IPv4 DHCP range
+dhcp-authoritative
+dhcp-range=192.168.30.50,192.168.30.127,15m
+# Predefined DHCP hosts
+dhcp-host=b8:27:eb:b9:ab:e2,esrom
+dhcp-host=ca:fe:c0:ff:ee:03,max,192.168.30.3
+dhcp-host=ca:fe:c0:ff:ee:08,maestro,192.168.30.8
+dhcp-host=dc:a6:32:7b:e2:11,iris,192.168.30.9
+dhcp-host=ca:fe:c0:ff:ee:0a,thecloud,192.168.30.10
+dhcp-host=52:54:00:72:e0:9a,forum,192.168.30.11
+# Advertise router
+dhcp-option=3,192.168.30.1
+# Always send the IPv6 DNS server address (this machine)
+dhcp-option=option6:dns-server,[2a02:58:19a:f730::1]
+# Advertise SLAAC for the given prefix
+dhcp-range=2a02:58:19a:f730::, ra-stateless, ra-names
+# Do not advertise default gateway via DHCPv6
+ra-param=*,0,0
+# Alias public IP address to local
+alias=84.245.14.149,192.168.30.8
+# Override DNS servers for our domains
+server=/pizzapim.nl/192.168.30.7
+server=/geokunis2.nl/192.168.30.7
+server=/pim.kunis.nl/192.168.30.7
+server=/kun.is/192.168.30.7
+# Enable extended logging
+log-dhcp
+log-queries
+# Resolve hermes.dmz to addresses on main NIC
+interface-name=hermes.dmz,ens3
+# Non-conventional port because we also run nsd on this machine
+port=5353
+# Override addresses of name servers
+address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/192.168.30.7
+address=/ns.pizzapim.nl/ns.geokunis2.nl/ns.pim.kunis.nl/2a02:58:19a:f730:c8fe:c0ff:feff:ee07
+# Advertise DNS server
+dhcp-option=option:dns-server,192.168.30.1
--- a/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml
+++ b/legacy/projects/hermes/ansible/roles/dnsmasq/tasks/main.yml
@ -0,0 +1,18 @@
+- name: Install dnsmasq
+  apt:
+    name: dnsmasq
+- name: Disable systemd-resolved
+  systemd:
+    name: systemd-resolved
+    enabled: false
+    state: stopped
+- name: Copy dnsmasq configuration
+  copy:
+    src: "{{ role_path }}/files/dnsmasq.conf"
+    dest: "/etc/dnsmasq.conf"
+  register: config
+- name: Enable dnsmasq
+  systemd:
+    name: dnsmasq
+    enabled: true
+    state: "{{ 'restarted' if config.changed else 'started' }}"
--- a/legacy/projects/hermes/ansible/roles/powerdns/api.conf.j2
+++ b/legacy/projects/hermes/ansible/roles/powerdns/api.conf.j2
@ -0,0 +1,5 @@
+api=yes
+api-key={{ api_key }}
+webserver-address=0.0.0.0
+webserver-port=3000
+webserver-allow-from=0.0.0.0/0
--- a/legacy/projects/hermes/ansible/roles/powerdns/gpgsql.conf.j2
+++ b/legacy/projects/hermes/ansible/roles/powerdns/gpgsql.conf.j2
@ -0,0 +1,5 @@
+launch=gpgsql
+gpgsql-host=192.168.30.10
+gpgsql-dbname=powerdns
+gpgsql-user=powerdns
+gpgsql-password={{ postgresql_password }}
--- a/legacy/projects/hermes/ansible/roles/powerdns/handlers/main.yml
+++ b/legacy/projects/hermes/ansible/roles/powerdns/handlers/main.yml
@ -0,0 +1,4 @@
+- name: restart powerdns
+  systemd:
+    name: pdns
+    state: restarted
--- a/legacy/projects/hermes/ansible/roles/powerdns/overwrite.conf
+++ b/legacy/projects/hermes/ansible/roles/powerdns/overwrite.conf
@ -0,0 +1,4 @@
+local-address=192.168.30.7, 127.0.0.1, ::
+default-soa-content=ns.@ noreply.@ 0 10800 3600 604800 3600
+# allow zone transfers from Transip ip's. see also: https://www.transip.nl/knowledgebase/artikel/26-nameservers-instellen-transip-nameservers-secondary/
+allow-axfr-ips=87.253.155.96/27,157.97.168.160/27
--- a/legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml
+++ b/legacy/projects/hermes/ansible/roles/powerdns/tasks/main.yml
@ -0,0 +1,28 @@
+- name: Remove BIND powerdns config
+  file:
+    path: /etc/powerdns/pdns.d/bind.conf
+    state: absent
+  notify: restart powerdns
+
+- name: Copy postgresql powerdns config
+  template:
+    src: gpgsql.conf.j2
+    dest: /etc/powerdns/pdns.d/gpgsql.conf
+  notify: restart powerdns
+
+- name: Add API powerdns config
+  template:
+    src: api.conf.j2
+    dest: /etc/powerdns/pdns.d/api.conf
+  notify: restart powerdns
+
+- name: Overwrite powerdns config
+  copy:
+    src: overwrite.conf
+    dest: /etc/powerdns/pdns.d/overwrite.conf
+  notify: restart powerdns
+
+- name: Start powerdns
+  systemd:
+    name: pdns
+    state: started