summaryrefslogtreecommitdiff
path: root/roles
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2024-06-04 23:42:17 +0200
committerChristian Pointner <equinox@spreadspace.org>2024-06-04 23:42:17 +0200
commit06bfc41a5ce11b42040a4234c938582f1fab320e (patch)
tree2ec5fe23e23540a9decbebc7adbde7699396a9c4 /roles
parentmake base url for some repos configurable (diff)
install coredns to ch-iot
Diffstat (limited to 'roles')
-rw-r--r--roles/installer/raspios/image/templates/firstrun.sh.j23
-rw-r--r--roles/network/coredns/defaults/main.yml5
-rw-r--r--roles/network/coredns/handlers/main.yml5
-rw-r--r--roles/network/coredns/tasks/main.yml40
-rw-r--r--roles/network/coredns/templates/coredns.service.j232
5 files changed, 82 insertions, 3 deletions
diff --git a/roles/installer/raspios/image/templates/firstrun.sh.j2 b/roles/installer/raspios/image/templates/firstrun.sh.j2
index 05f9639d..ef90cf8b 100644
--- a/roles/installer/raspios/image/templates/firstrun.sh.j2
+++ b/roles/installer/raspios/image/templates/firstrun.sh.j2
@@ -88,9 +88,6 @@ systemctl disable wpa_supplicant.service
rfkill unblock wlan
ifup {{ network.primary.name }}
{% endif %}
-{% for host in (network.static_hostnames | default([])) %}
-echo "{{ host.address }} {{ host.names | join(' ') }}" >> /etc/hosts
-{% endfor %}
{% if ansible_port != 22 %}
sed -e 's/^\s*#*\s*Port\s\s*[0-9][0-9]*$/Port {{ ansible_port }}/' -i /etc/ssh/sshd_config
diff --git a/roles/network/coredns/defaults/main.yml b/roles/network/coredns/defaults/main.yml
new file mode 100644
index 00000000..b5294aa2
--- /dev/null
+++ b/roles/network/coredns/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+# coredns_config: |
+# . {
+# whoami
+# }
diff --git a/roles/network/coredns/handlers/main.yml b/roles/network/coredns/handlers/main.yml
new file mode 100644
index 00000000..13f60711
--- /dev/null
+++ b/roles/network/coredns/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload coredns
+ service:
+ name: coredns
+ state: reloaded
diff --git a/roles/network/coredns/tasks/main.yml b/roles/network/coredns/tasks/main.yml
new file mode 100644
index 00000000..a0cfa6c5
--- /dev/null
+++ b/roles/network/coredns/tasks/main.yml
@@ -0,0 +1,40 @@
+---
+- name: install coredns
+ apt:
+ name: coredns
+ state: present
+
+- name: create coredns user
+ user:
+ name: coredns
+ home: /nonexistent
+ shell: /usr/sbin/nologin
+ create_home: no
+ system: yes
+ state: present
+
+- name: create coredns config directory
+ file:
+ path: /etc/coredns
+ state: directory
+
+- name: generate Corefile
+ copy:
+ content: |
+ # ansible managed
+
+ {{ coredns_config }}
+ dest: /etc/coredns/Corefile
+ notify: reload coredns
+
+- name: install systemd service unit
+ template:
+ src: coredns.service.j2
+ dest: /etc/systemd/system/coredns.service
+
+- name: make sure coredns is enabled started
+ systemd:
+ daemon_reload: yes
+ name: coredns.service
+ enabled: yes
+ state: started
diff --git a/roles/network/coredns/templates/coredns.service.j2 b/roles/network/coredns/templates/coredns.service.j2
new file mode 100644
index 00000000..327f930b
--- /dev/null
+++ b/roles/network/coredns/templates/coredns.service.j2
@@ -0,0 +1,32 @@
+[Unit]
+Description=Coredns
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Restart=always
+User=coredns
+ExecStart=/usr/bin/coredns -conf /etc/coredns/Corefile
+ExecReload=/bin/kill -USR1 $MAINPID
+
+# systemd hardening-options
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+RemoveIPC=true
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+
+[Install]
+WantedBy=multi-user.target