diff options
| -rw-r--r-- | chaos-at-home/ch-iot.yml | 1 | ||||
| -rw-r--r-- | inventory/group_vars/chaos-at-home/network.yml | 2 | ||||
| -rw-r--r-- | inventory/host_vars/ch-cm4-sensors0.yml | 5 | ||||
| -rw-r--r-- | inventory/host_vars/ch-cm4-sensors1.yml | 5 | ||||
| -rw-r--r-- | inventory/host_vars/ch-iot.yml | 10 | ||||
| -rw-r--r-- | roles/installer/raspios/image/templates/firstrun.sh.j2 | 3 | ||||
| -rw-r--r-- | roles/network/coredns/defaults/main.yml | 5 | ||||
| -rw-r--r-- | roles/network/coredns/handlers/main.yml | 5 | ||||
| -rw-r--r-- | roles/network/coredns/tasks/main.yml | 40 | ||||
| -rw-r--r-- | roles/network/coredns/templates/coredns.service.j2 | 32 |
10 files changed, 97 insertions, 11 deletions
diff --git a/chaos-at-home/ch-iot.yml b/chaos-at-home/ch-iot.yml index 86e78956..57d37a3e 100644 --- a/chaos-at-home/ch-iot.yml +++ b/chaos-at-home/ch-iot.yml @@ -14,6 +14,7 @@ - role: apt-repo/spreadspace - role: x509/managed-ca/base - role: x509/managed-ca/ca + - role: network/coredns - role: mosquitto/broker - role: nginx/base - role: monitoring/prometheus/exporter diff --git a/inventory/group_vars/chaos-at-home/network.yml b/inventory/group_vars/chaos-at-home/network.yml index f8956a47..9b53d52a 100644 --- a/inventory/group_vars/chaos-at-home/network.yml +++ b/inventory/group_vars/chaos-at-home/network.yml @@ -59,6 +59,8 @@ network_zones: iot: vlan: 30 prefix: 192.168.30.0/24 + dns: + - 192.168.30.254 wifi: ssid: "stuff at home" #encryption: "sae-mixed" diff --git a/inventory/host_vars/ch-cm4-sensors0.yml b/inventory/host_vars/ch-cm4-sensors0.yml index 4b65b1f0..7f7982f1 100644 --- a/inventory/host_vars/ch-cm4-sensors0.yml +++ b/inventory/host_vars/ch-cm4-sensors0.yml @@ -3,15 +3,12 @@ raspios_variant: lite raspios_arch: arm64 network: + nameservers: "{{ network_zones.iot.dns }}" primary: &_network_primary_ name: eth0 address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}" interfaces: - *_network_primary_ - static_hostnames: - - address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }}" - names: - - apt.chaos-at-home.org raspios_boot_config: - regexp: '^#?dtparam=i2c_arm' diff --git a/inventory/host_vars/ch-cm4-sensors1.yml b/inventory/host_vars/ch-cm4-sensors1.yml index 4b65b1f0..7f7982f1 100644 --- a/inventory/host_vars/ch-cm4-sensors1.yml +++ b/inventory/host_vars/ch-cm4-sensors1.yml @@ -3,15 +3,12 @@ raspios_variant: lite raspios_arch: arm64 network: + nameservers: "{{ network_zones.iot.dns }}" primary: &_network_primary_ name: eth0 address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets[inventory_hostname]) }}" interfaces: - *_network_primary_ - static_hostnames: - - address: "{{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }}" - names: - - apt.chaos-at-home.org raspios_boot_config: - regexp: '^#?dtparam=i2c_arm' diff --git a/inventory/host_vars/ch-iot.yml b/inventory/host_vars/ch-iot.yml index 3772e9a6..0aca3e57 100644 --- a/inventory/host_vars/ch-iot.yml +++ b/inventory/host_vars/ch-iot.yml @@ -49,7 +49,17 @@ ntp_server: - "{{ network_zones.iot.prefix }}" +coredns_config: | + . { + hosts { + {{ network_zones.iot.prefix | ansible.utils.ipaddr(network_zones.iot.offsets['ch-iot']) | ansible.utils.ipaddr('address') }} apt.chaos-at-home.org + no_reverse + } + } + + spreadspace_apt_repo_components: + - main - prometheus diff --git a/roles/installer/raspios/image/templates/firstrun.sh.j2 b/roles/installer/raspios/image/templates/firstrun.sh.j2 index 05f9639d..ef90cf8b 100644 --- a/roles/installer/raspios/image/templates/firstrun.sh.j2 +++ b/roles/installer/raspios/image/templates/firstrun.sh.j2 @@ -88,9 +88,6 @@ systemctl disable wpa_supplicant.service rfkill unblock wlan ifup {{ network.primary.name }} {% endif %} -{% for host in (network.static_hostnames | default([])) %} -echo "{{ host.address }} {{ host.names | join(' ') }}" >> /etc/hosts -{% endfor %} {% if ansible_port != 22 %} sed -e 's/^\s*#*\s*Port\s\s*[0-9][0-9]*$/Port {{ ansible_port }}/' -i /etc/ssh/sshd_config diff --git a/roles/network/coredns/defaults/main.yml b/roles/network/coredns/defaults/main.yml new file mode 100644 index 00000000..b5294aa2 --- /dev/null +++ b/roles/network/coredns/defaults/main.yml @@ -0,0 +1,5 @@ +--- +# coredns_config: | +# . { +# whoami +# } diff --git a/roles/network/coredns/handlers/main.yml b/roles/network/coredns/handlers/main.yml new file mode 100644 index 00000000..13f60711 --- /dev/null +++ b/roles/network/coredns/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload coredns + service: + name: coredns + state: reloaded diff --git a/roles/network/coredns/tasks/main.yml b/roles/network/coredns/tasks/main.yml new file mode 100644 index 00000000..a0cfa6c5 --- /dev/null +++ b/roles/network/coredns/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: install coredns + apt: + name: coredns + state: present + +- name: create coredns user + user: + name: coredns + home: /nonexistent + shell: /usr/sbin/nologin + create_home: no + system: yes + state: present + +- name: create coredns config directory + file: + path: /etc/coredns + state: directory + +- name: generate Corefile + copy: + content: | + # ansible managed + + {{ coredns_config }} + dest: /etc/coredns/Corefile + notify: reload coredns + +- name: install systemd service unit + template: + src: coredns.service.j2 + dest: /etc/systemd/system/coredns.service + +- name: make sure coredns is enabled started + systemd: + daemon_reload: yes + name: coredns.service + enabled: yes + state: started diff --git a/roles/network/coredns/templates/coredns.service.j2 b/roles/network/coredns/templates/coredns.service.j2 new file mode 100644 index 00000000..327f930b --- /dev/null +++ b/roles/network/coredns/templates/coredns.service.j2 @@ -0,0 +1,32 @@ +[Unit] +Description=Coredns +After=network-online.target +Wants=network-online.target + +[Service] +Restart=always +User=coredns +ExecStart=/usr/bin/coredns -conf /etc/coredns/Corefile +ExecReload=/bin/kill -USR1 $MAINPID + +# systemd hardening-options +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +DeviceAllow=/dev/null rw +DevicePolicy=strict +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +RemoveIPC=true +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |