Compare commits

...

5 Commits

Author SHA1 Message Date
vincent
abd2826fab update wireguard DNS
All checks were successful
continuous-integration/drone/push Build is passing
2023-10-18 20:05:43 +02:00
vincent
ddd9a331fd fix second dhcp IP 2023-10-18 19:21:08 +02:00
vincent
a6891024f8 disable DNSSEC 2023-10-18 19:21:08 +02:00
vincent
39926f0fe8 move vagrant domain 2023-10-18 19:21:08 +02:00
vincent
60dcadb0ac create config powerdns 2023-10-18 19:21:08 +02:00
10 changed files with 69 additions and 5 deletions

2
Vagrantfile vendored
View File

@ -3,7 +3,7 @@ Vagrant.configure('2') do |config|
config.cache.scope = 'machine' config.cache.scope = 'machine'
end end
config.vm.provider :libvirt do |libvirt| config.vm.provider :libvirt do |libvirt|
libvirt.management_network_domain = "ducamps-dev.win" libvirt.management_network_domain = "ducamps-dev.eu"
end end
config.vm.define "oscar-dev" do |c| config.vm.define "oscar-dev" do |c|

20
ansible/group_vars/DNS Normal file
View File

@ -0,0 +1,20 @@
pdns_config:
local-address: "127.0.0.1"
local-port: "5300"
api: yes
api-key:
pdns_backends:
gsqlite3:
dnssec: yes
database: "/var/lib/powerdns/powerdns.sqlite"
pdns_sqlite_databases_locations:
- "/var/lib/powerdns/powerdns.sqlite"
pdns_rec_config:
forward-zones:
- "consul=127.0.0.1:8600"
- "ducamps.win=192.168.1.10"
- "ducamps.eu=192.168.1.10"
local-address: "{{ ansible_default_ipv4.address }}"
dnssec: "off"

View File

@ -3,7 +3,7 @@ dhcpd_lease_time: '72'
dhcpd_domain_name: "lan.{{ domain.name }}" dhcpd_domain_name: "lan.{{ domain.name }}"
dhcpd_nameservers: dhcpd_nameservers:
- '192.168.1.4' - '192.168.1.4'
- '192.168.1.10' - '192.168.1.41'
dhcpd_keys: dhcpd_keys:
- key: dhcp - key: dhcp
algorithm: HMAC-MD5 algorithm: HMAC-MD5

View File

@ -11,7 +11,7 @@ wireguard_postup:
- iptables -A FORWARD -i %i -j ACCEPT - iptables -A FORWARD -i %i -j ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
- sysctl -w net.ipv4.ip_forward=1 - sysctl -w net.ipv4.ip_forward=1
- resolvectl dns %i 192.168.1.4 192.168.1.10; resolvectl domain %i '~ducamps.win' '~consul' - resolvectl dns %i 192.168.1.4 192.168.1.41; resolvectl domain %i '~ducamps.win' '~ducamps.eu' '~consul'
wireguard_postdown: wireguard_postdown:
- iptables -D FORWARD -i %i -j ACCEPT - iptables -D FORWARD -i %i -j ACCEPT
@ -28,7 +28,7 @@ wireguard_unmanaged_peers:
public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag= public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag=
allowed_ips: 10.0.0.5/32 allowed_ips: 10.0.0.5/32
persistent_keepalive: 0 persistent_keepalive: 0
wireguard_dns: "192.168.1.4,192.168.1.10" wireguard_dns: "192.168.1.4,192.168.1.41"
consul_client_addr: "127.0.0.1 10.0.0.1" consul_client_addr: "127.0.0.1 10.0.0.1"
consul_bind_address: "10.0.0.1" consul_bind_address: "10.0.0.1"
consul_ui: True consul_ui: True

View File

@ -25,7 +25,7 @@ wireguard_unmanaged_peers:
public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag= public_key: rYYljQw8InmM95pxCP9KyZ8R+kcicgnjr6E9qtkI1Ag=
allowed_ips: 10.0.0.5/32 allowed_ips: 10.0.0.5/32
persistent_keepalive: 0 persistent_keepalive: 0
wireguard_dns: "192.168.1.40,192.168.1.10" wireguard_dns: "192.168.1.41,192.168.1.4"
consul_client_addr: "127.0.0.1 10.0.0.4" consul_client_addr: "127.0.0.1 10.0.0.4"
consul_bind_address: "10.0.0.4" consul_bind_address: "10.0.0.4"
consul_ui: True consul_ui: True

View File

@ -0,0 +1,6 @@
---
- name: DNS playbook
hosts: DNS
roles:
- role: pdns_recursor-ansible
become: true

View File

@ -7,6 +7,8 @@ gerard
corwin corwin
merlin merlin
[DNS]
gerard
[dhcp] [dhcp]
gerard gerard

View File

@ -39,3 +39,5 @@
scm: git scm: git
- src: git@github.com:vincentDcmps/ansible-role-nfs.git - src: git@github.com:vincentDcmps/ansible-role-nfs.git
scm: git scm: git
- src: https://github.com/PowerDNS/pdns-ansible.git
- src: https://github.com/PowerDNS/pdns_recursor-ansible.git

View File

@ -5,6 +5,9 @@ gerard-dev
[VPS] [VPS]
merlin-dev merlin-dev
[DNS]
oscar-dev
[database] [database]
oscar-dev oscar-dev

31
docs/ADR/004-DNS.md Normal file
View File

@ -0,0 +1,31 @@
# 004 DNS
## Status
In progress
## Context
curently main local domain DNS is located on NAS.
goal:
- avoid DNS outtage in case of NAS reboot (my synology have 10 years and is a litle long to reboot) morever during NAS reboot we lost the adblock DNS in the nomad cluster because nomad depend of the NFS share.
- remove the direct redirection to service.consul DNS and the IPTABLE rule use to redirect port 53 on consul on gerard instead new DNS could be forward directly to an active consul node on port 8300
### DNS software
need DHCP Dynamic update
could redirect domain on other port than port 53
## Decision
we will migrate Main Domain DNS from NAS to gerard (powerDNS)
powerDNS provide two disting binaries one for authority server one other for recursor
goal is to first migrate the recursice part from synology to a physical service
and in second time migrate authority server in nmad cluster
## Consequences
before to move authority server need to remove DB dns dependance (create db consul services)
need to delete the iptable rule on gerard before deploy