Initial Commit

2021-12-11 22:46:32 +01:00
commit 8354baa32f
47 changed files with 1283 additions and 0 deletions
--- a/roles/bind_dhcp/defaults/main.yaml
+++ b/roles/bind_dhcp/defaults/main.yaml
@ -0,0 +1,90 @@
+---
+
+# dhcpd_interface: "enp7s0"
+# dhcpd_network_start: "192.168.181.0"
+# dhcpd_network_netmask: "255.255.255.0"
+# dhcpd_network_range: "192.168.181.20 192.168.181.200"
+
+# dhcpd_default_lease_time: "43200"
+# dhcpd_max_lease_time: "2168640000"
+# dhcpd_min_lease_time: "21600"
+
+# dhcpd_ddns_domainname: "linuxws2122.de"
+
+# dhcpd_option_broadcast_address: "192.168.181.255"
+# dhcpd_option_domain_name: "linuxws2122.de"
+# dhcpd_option_domain_name_servers: "192.168.181.1"
+# dhcpd_option_routers: "192.168.181.1"
+# dhcpd_option_subnet_mask: "255.255.255.0"
+
+
+# dhcpd_keys:
+# - name: dyndns
+#   algorithm: hmac-sha256
+#   secret: ""
+
+# dhcpd_zones:
+# - name: linuxws2122.de
+#   primary: "192.168.181.1"
+#   key: dyndns
+# - name: 181.168.192.in-addr.arpa
+#   primary: "192.168.181.1"
+#   key: dyndns
+
+
+# bind9_global_allow_query:
+# - "192.168.181.0/24"
+
+# bind9_keys:
+# - name: dyndns
+#   algorithm: hmac-sha512
+#   secret: "+7bISG4ktFi2ytU9WXvBX41ZlxxfW5G+sHKtetNlQjk="
+
+# bind9_listen_on_ipv4:
+# - "192.168.181.1"
+
+# bind9_listen_on_ipv6: []
+
+# bind9_forward_zones:
+# - allow_query:
+#   - "any"
+#   allow_update:
+#   - dyndns
+#   type: master
+#   origin: "linuxws2122.de."
+#   ttl: "3600"
+#   records:
+#   - name: "\t\t" # only for indention
+#     class: "IN"
+#     type: "SOA"
+#     value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
+#   - name: "\t\t" # only for indention
+#     class: "IN"
+#     type: "NS"
+#     value: "gateway"
+#   - name: "gateway\t\t"
+#     class: "IN"
+#     type: "A"
+#     value: "192.168.181.1"
+
+# bind9_reverse_zones:
+# - allow_query:
+#   - "any"
+#   allow_update:
+#   - dyndns
+#   type: master
+#   origin: "181.168.192.IN-ADDR.ARPA."
+#   ttl: "3600"
+#   records:
+#   - name: "\t\t" # "\t" only for indention
+#     class: "IN"
+#     type: SOA
+#     value: "gateway.linuxws2122.de. hostmaster.linuxws2122.de. 2021092000 86400 7200 604800 3600"
+#   - name: "\t\t" # "\t" only for indention
+#     class: "IN"
+#     type: NS
+#     value: "gateway.linuxws2122.de."
+#   - name: "1\t\t" # "\t" only for indention
+#     class: "IN"
+#     type: A
+#     value: "gateway.linuxws2122.de."
--- a/roles/bind_dhcp/handlers/main.yaml
+++ b/roles/bind_dhcp/handlers/main.yaml
@ -0,0 +1,13 @@
+---
+
+- name: restart dhcpd
+  systemd:
+    name: dhcpd
+    state: restarted
+    daemon_reload: true
+
+- name: restart named
+  systemd:
+    name: named
+    state: restarted
+    daemon_reload: true
--- a/roles/bind_dhcp/tasks/bind9.yaml
+++ b/roles/bind_dhcp/tasks/bind9.yaml
@ -0,0 +1,36 @@
+---
+
+- name: create dhcp config dir
+  file:
+    path: /etc/named
+    owner: named
+    group: named
+    mode: 0755
+    state: directory
+
+- name: set up zones
+  template:
+    src: zone.j2
+    dest: /etc/named/{{ item.origin }}db
+    owner: named
+    group: named
+    mode: 0644
+  with_items:
+  - "{{ bind9_forward_zones }}"
+  - "{{ bind9_reverse_zones }}"
+  notify: restart named
+
+- name: set up global bind config
+  template:
+    src: named.conf.j2
+    dest: /etc/named.conf
+    owner: named
+    group: named
+    mode: 0644
+  notify: restart named
+
+- name: start and enabled named
+  systemd:
+    name: named
+    state: started
+    enabled: yes
--- a/roles/bind_dhcp/tasks/dhcpd.yaml
+++ b/roles/bind_dhcp/tasks/dhcpd.yaml
@ -0,0 +1,53 @@
+---
+
+- name: create dhcp config dir
+  file:
+    path: /etc/dhcp
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+
+- name: create dhcpd config
+  template:
+    src: dhcpd.conf.j2
+    dest: /etc/dhcp/dhcpd.conf
+    owner: root
+    group: root
+    mode: 0644
+
+- name: cleanup cache files
+  block:
+  - name: check if cache dir exists
+    stat:
+      path: /var/lib/dhcpd
+    register: cache_stats
+  - name: remove cache dir
+    file:
+      path: /var/lib/dhcpd/
+      state: absent
+    when: cache_stats.stat.exists
+  - name: create cache dir
+    file:
+      path: /var/lib/dhcpd/
+      owner: dhcpd
+      group: dhcpd
+      mode: 0755
+      state: directory
+  - name: create cache files
+    file:
+      path: "/var/lib/dhcpd/{{ item }}"
+      owner: dhcpd
+      group: dhcpd
+      mode: 0644
+      state: touch
+    with_items:
+    - dhcpd.leases
+    - dhcpd6.leases
+    notify: restart dhcpd
+
+- name: start and enable dhcpd
+  systemd:
+    name: dhcpd
+    state: started
+    enabled: yes
--- a/roles/bind_dhcp/tasks/main.yaml
+++ b/roles/bind_dhcp/tasks/main.yaml
@ -0,0 +1,15 @@
+---
+
+- name: install bind (named) and dependencies
+  yum:
+    name: "{{ item }}"
+  with_items:
+  - bind
+  - bind-utils
+  - dhcp-server
+
+- name: configure dhcpd server
+  include_tasks: dhcpd.yaml
+
+- name: configure bind9 server
+  include_tasks: bind9.yaml
--- a/roles/bind_dhcp/templates/dhcpd.conf.j2
+++ b/roles/bind_dhcp/templates/dhcpd.conf.j2
@ -0,0 +1,37 @@
+authoritative;
+ddns-update-style interim;
+ignore client-updates;
+
+{% for key in dhcpd_keys %}
+key "{{ key.name }}" {
+  algorithm {{ key.algorithm }};
+  secret "{{ key.secret }}";
+}
+{% endfor %}
+
+{% for zone in dhcpd_zones %}
+zone {{ zone.name }} {
+  primary {{ zone.primary }};
+  key "{{ zone.key }}";
+}
+{% endfor %}
+
+subnet {{ dhcpd_network_start }} netmask {{ dhcpd_network_netmask }} {
+  interface {{ dhcpd_interface }};
+
+  range {{ dhcpd_network_range }};
+
+  default-lease-time {{ dhcpd_default_lease_time }};
+  max-lease-time {{ dhcpd_max_lease_time }};
+  min-lease-time {{ dhcpd_min_lease_time }};
+
+  ddns-domainname "{{ dhcpd_ddns_domainname }}";
+
+  update-static-leases on;
+
+  option broadcast-address {{ dhcpd_option_broadcast_address }};
+  option domain-name "{{ dhcpd_option_domain_name }}";
+  option domain-name-servers {{ dhcpd_option_domain_name_servers }};
+  option routers {{ dhcpd_option_routers }};
+  option subnet-mask {{ dhcpd_option_subnet_mask }};
+}
--- a/roles/bind_dhcp/templates/named.conf.j2
+++ b/roles/bind_dhcp/templates/named.conf.j2
@ -0,0 +1,129 @@
+//
+// named.conf
+//
+// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
+// server as a caching only nameserver (as a localhost DNS resolver only).
+//
+// See /usr/share/doc/bind*/sample/ for example named configuration files.
+//
+
+options {
+  listen-on port 53 {
+{% for ip in bind9_listen_on_ipv4 %}
+    {{ ip }};
+{% endfor %}
+    127.0.0.1;
+  };
+
+  listen-on-v6 port 53 {
+{% for ip in bind9_listen_on_ipv6 %}
+    {{ ip }};
+{% endfor %}
+    ::1;
+  };
+
+  directory           "/var/named";
+  dump-file           "/var/named/data/cache_dump.db";
+  statistics-file     "/var/named/data/named_stats.txt";
+  memstatistics-file  "/var/named/data/named_mem_stats.txt";
+  secroots-file       "/var/named/data/named.secroots";
+  recursing-file      "/var/named/data/named.recursing";
+
+  allow-query {
+{% for ip in bind9_global_allow_query %}
+    {{ ip }};
+{% endfor %}
+    localhost;
+  };
+
+  /*
+   - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
+   - If you are building a RECURSIVE (caching) DNS server, you need to enable
+     recursion.
+   - If your recursive DNS server has a public IP address, you MUST enable access
+     control to limit queries to your legitimate users. Failing to do so will
+     cause your server to become part of large scale DNS amplification
+     attacks. Implementing BCP38 within your network would greatly
+     reduce such attack surface
+  */
+  recursion yes;
+
+  dnssec-validation yes;
+
+  managed-keys-directory "/var/named/dynamic";
+  geoip-directory "/usr/share/GeoIP";
+
+  pid-file "/run/named/named.pid";
+  session-keyfile "/run/named/session.key";
+
+  /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
+  include "/etc/crypto-policies/back-ends/bind.config";
+};
+
+logging {
+  channel default_debug {
+    file "data/named.run";
+    severity dynamic;
+  };
+};
+
+zone "." IN {
+  type hint;
+  file "named.ca";
+};
+
+{% for zone in bind9_forward_zones %}
+zone "{{ zone.origin }}" {
+
+  allow-query {
+{% for entry in zone.allow_query %}
+    {{ entry }};
+{% endfor %}
+  };
+
+  allow-update {
+{% for entry in zone.allow_update %}
+    key {{ entry }};
+{% endfor %}
+  };
+
+  file "/etc/named/{{ zone.origin }}db";
+
+  type {{ zone.type }};
+
+};
+{% endfor %}
+
+
+
+{% for zone in bind9_reverse_zones %}
+zone "{{ zone.origin }}" {
+
+  allow-query {
+{% for entry in zone.allow_query %}
+    {{ entry }};
+{% endfor %}
+  };
+
+  allow-update {
+{% for entry in zone.allow_update %}
+    key {{ entry }};
+{% endfor %}
+  };
+
+  file "/etc/named/{{ zone.origin }}db";
+
+  type {{ zone.type }};
+
+};
+{% endfor %}
+
+{% for key in bind9_keys %}
+key "{{ key.name }}" {
+  algorithm {{ key.algorithm }};
+  secret "{{ key.secret }}";
+};
+{% endfor %}
+
+include "/etc/named.rfc1912.zones";
+include "/etc/named.root.key";
--- a/roles/bind_dhcp/templates/zone.j2
+++ b/roles/bind_dhcp/templates/zone.j2
@ -0,0 +1,6 @@
+$ORIGIN {{ item.origin }}
+$TTL {{ item.ttl }}
+
+{% for record in item.records %}
+{{ record.name }} {{ record.class | default('IN') }} {{ record.type | default('A') }} {{ record.value }}
+{% endfor %}