diff options
author | Christian Pointner <equinox@spreadspace.org> | 2024-06-04 23:42:17 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2024-06-04 23:42:17 +0200 |
commit | 06bfc41a5ce11b42040a4234c938582f1fab320e (patch) | |
tree | 2ec5fe23e23540a9decbebc7adbde7699396a9c4 /roles | |
parent | make base url for some repos configurable (diff) |
install coredns to ch-iot
Diffstat (limited to 'roles')
-rw-r--r-- | roles/installer/raspios/image/templates/firstrun.sh.j2 | 3 | ||||
-rw-r--r-- | roles/network/coredns/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/network/coredns/handlers/main.yml | 5 | ||||
-rw-r--r-- | roles/network/coredns/tasks/main.yml | 40 | ||||
-rw-r--r-- | roles/network/coredns/templates/coredns.service.j2 | 32 |
5 files changed, 82 insertions, 3 deletions
diff --git a/roles/installer/raspios/image/templates/firstrun.sh.j2 b/roles/installer/raspios/image/templates/firstrun.sh.j2 index 05f9639d..ef90cf8b 100644 --- a/roles/installer/raspios/image/templates/firstrun.sh.j2 +++ b/roles/installer/raspios/image/templates/firstrun.sh.j2 @@ -88,9 +88,6 @@ systemctl disable wpa_supplicant.service rfkill unblock wlan ifup {{ network.primary.name }} {% endif %} -{% for host in (network.static_hostnames | default([])) %} -echo "{{ host.address }} {{ host.names | join(' ') }}" >> /etc/hosts -{% endfor %} {% if ansible_port != 22 %} sed -e 's/^\s*#*\s*Port\s\s*[0-9][0-9]*$/Port {{ ansible_port }}/' -i /etc/ssh/sshd_config diff --git a/roles/network/coredns/defaults/main.yml b/roles/network/coredns/defaults/main.yml new file mode 100644 index 00000000..b5294aa2 --- /dev/null +++ b/roles/network/coredns/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# coredns_config: | +# . { +# whoami +# } diff --git a/roles/network/coredns/handlers/main.yml b/roles/network/coredns/handlers/main.yml new file mode 100644 index 00000000..13f60711 --- /dev/null +++ b/roles/network/coredns/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload coredns + service: + name: coredns + state: reloaded diff --git a/roles/network/coredns/tasks/main.yml b/roles/network/coredns/tasks/main.yml new file mode 100644 index 00000000..a0cfa6c5 --- /dev/null +++ b/roles/network/coredns/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: install coredns + apt: + name: coredns + state: present + +- name: create coredns user + user: + name: coredns + home: /nonexistent + shell: /usr/sbin/nologin + create_home: no + system: yes + state: present + +- name: create coredns config directory + file: + path: /etc/coredns + state: directory + +- name: generate Corefile + copy: + content: | + # ansible managed + + {{ coredns_config }} + dest: /etc/coredns/Corefile + notify: reload coredns + +- name: install systemd service unit + template: + src: coredns.service.j2 + dest: /etc/systemd/system/coredns.service + +- name: make sure coredns is enabled started + systemd: + daemon_reload: yes + name: coredns.service + enabled: yes + state: started diff --git a/roles/network/coredns/templates/coredns.service.j2 b/roles/network/coredns/templates/coredns.service.j2 new file mode 100644 index 00000000..327f930b --- /dev/null +++ b/roles/network/coredns/templates/coredns.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Coredns +After=network-online.target +Wants=network-online.target + +[Service] +Restart=always +User=coredns +ExecStart=/usr/bin/coredns -conf /etc/coredns/Corefile +ExecReload=/bin/kill -USR1 $MAINPID + +# systemd hardening-options +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |