noot

ansible/.gitignore

@@ -0,0 +1 @@
+inventory

ansible/Makefile

@@ -0,0 +1,10 @@
+.PHONY: all dns lb
+
+ANSIBLE_ROOT=ansible-playbook playbook.yml -i inventory
+
+all:
+	$(ANSIBLE_ROOT)
+lb:
+	$(ANSIBLE_ROOT) --tags "lb"
+dns:
+	$(ANSIBLE_ROOT) --tags "dns"

ansible/ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+nocows=true

ansible/assets/index.html

@@ -0,0 +1,10 @@
+<!doctype html>
+<html>
+  <head>
+    <title>mydns</title>
+  </head>
+  <body>
+    <p>dns server</p>
+
+  </body>
+</html>

ansible/files/dns.Caddyfile

@@ -0,0 +1,21 @@
+{
+	admin "unix//run/caddy/admin.socket"
+	email a@tuxpa.in
+}
+
+{{hostvars[inventory_hostname].public_dns}} {
+	route /dns-query {
+		respond "hello" 200
+	}
+
+	handle {
+		root * /var/www
+		rewrite * index.html
+		file_server
+	}
+}
+
+:80 {
+	respond "ok"
+}
+# vi: ft=caddyfile

ansible/files/haproxy.cfg

@@ -0,0 +1,39 @@
+global
+	log /dev/log	local0 alert
+	log /dev/log	local1 alert
+	chroot /var/lib/haproxy
+	stats socket /run/haproxy/admin.sock mode 660 level admin
+	stats timeout 30s
+	user haproxy
+	group haproxy
+	daemon
+
+	# Default SSL material locations
+	ca-base /etc/ssl/certs
+	crt-base /etc/ssl/private
+
+	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
+        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
+
+frontend websecure
+	mode tcp
+	bind :443
+	default_backend websecure_servers
+	timeout connect 5s
+
+frontend web
+	mode tcp
+	bind :80
+	default_backend web_servers
+	timeout connect 5s
+
+backend websecure_servers
+	mode tcp
+	balance leastconn
+{% for host in dns_ord %}
+  server s{{loop.index}} {{ hostvars[host].internal_ip }}
+{% endfor %}
+
+

ansible/files/lb.Caddyfile

@@ -0,0 +1,24 @@
+{
+	admin "unix//run/caddy/admin.socket"
+	email a@tuxpa.in
+}
+
+{{hostvars[inventory_hostname]['public_dns']}} mydns.gay {
+	route / {
+		respond "mainpage" 200
+	}
+
+	route /dns-query {
+		respond "hello" 200
+	}
+  {% for host in groups["dns_ord"] %}
+    "{{ hostvars[host].inventory_hostname }}{{ hostvars[host].ansible_default_ipv4.address }}|cmk-agent|prod|lan|tcp|wato|/" + FOLDER_PATH + "/",
+  {% endfor %}
+
+	handle {
+		root * /var/www
+		rewrite * index.html
+		file_server
+	}
+}
+# vi: ft=caddyfile

ansible/files/sdns.conf

@@ -0,0 +1,194 @@
+# Config version, config and build versions can be different.
+version = "1.3.3"
+
+# Sets the sdns working directory. The directory must have write access for sdns's user.
+directory = "/var/lib/sdns"
+
+# Address to bind to for the DNS server.
+bind = "localhost:1053"
+
+# Address to bind to for the DNS-over-TLS server.
+# bindtls = ":853"
+
+# Address to bind to for the DNS-over-HTTPS server.
+# binddoh = ":443"
+
+# Address to bind to for the DNS-over-QUIC server.
+# binddoq = ":853"
+
+# TLS certificate file.
+# tlscertificate = "server.crt"
+
+# TLS private key file.
+# tlsprivatekey = "server.key"
+
+# Outbound IPv4 addresses, if you set multiple, sdns can use a random outbound IPv4 address by request based.
+outboundips = [
+]
+
+# Outbound IPv6 addresses, if you set multiple, sdns can use a random outbound IPv6 address by request based.
+outboundip6s = [
+]
+
+# Root zone IPv4 servers
+rootservers = [
+    "198.41.0.4:53",
+    "199.9.14.201:53",
+    "192.33.4.12:53",
+    "199.7.91.13:53",
+    "192.203.230.10:53",
+    "192.5.5.241:53",
+    "192.112.36.4:53",
+    "198.97.190.53:53",
+    "192.36.148.17:53",
+    "192.58.128.30:53",
+    "193.0.14.129:53",
+    "199.7.83.42:53",
+    "202.12.27.33:53"
+]
+
+# Root zone IPv6 servers
+root6servers = [
+    "[2001:503:ba3e::2:30]:53",
+    "[2001:500:200::b]:53",
+    "[2001:500:2::c]:53",
+    "[2001:500:2d::d]:53",
+    "[2001:500:a8::e]:53",
+    "[2001:500:2f::f]:53",
+    "[2001:500:12::d0d]:53",
+    "[2001:500:1::53]:53",
+    "[2001:7fe::53]:53",
+    "[2001:503:c27::2:30]:53",
+    "[2001:7fd::1]:53",
+    "[2001:500:9f::42]:53",
+    "[2001:dc3::35]:53"
+]
+
+# Trusted anchors for DNSSEC
+rootkeys = [
+    ".			172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="
+]
+
+# Failover resolver IPv4 or IPv6 addresses with port, left blank for disabled.
+# fallbackservers = [
+#   "8.8.8.8:53",
+#   "[2001:4860:4860::8888]:53"
+# ]
+fallbackservers = [
+]
+
+# Forwarder resolver IPv4 or IPv6 addresses with port, left blank for disabled.
+# forwarderservers = [
+#   "8.8.8.8:53",
+#   "[2001:4860:4860::8888]:53",
+#   "tls://8.8.8.8:853"
+# ]
+forwarderservers = [
+]
+
+# Address to bind to for the HTTP API server, left blank for disabled.
+api = "127.0.0.1:8053"
+
+# What kind of information should be logged, Log verbosity level [crit, error, warn, info, debug].
+loglevel = "info"
+
+# The location of the access log file, left blank for disabled. SDNS uses Common Log Format by default.
+# accesslog = ""
+
+# List of remote blocklists address list. All lists will be downloaded to the blocklist folder.
+# blocklists = [
+#    "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts",
+#    "http://sysctl.org/cameleon/hosts",
+#    "https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt",
+#    "https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt"
+# ]
+blocklists = [
+]
+
+# [DEPRECATED] This will be ignored. The directory will be created under the working directory automatically.
+blocklistdir = ""
+
+# IPv4 address to forward blocked queries to.
+nullroute = "0.0.0.0"
+
+# IPv6 address to forward blocked queries to.
+nullroutev6 = "::0"
+
+# Which clients are allowed to make queries.
+accesslist = [
+    "0.0.0.0/0",
+    "::0/0"
+]
+
+# Enables serving zone data from a hosts file, left blank for disabled.
+# The form of the entries in the /etc/hosts file is based on IETF RFC 952, which was updated by IETF RFC 1123.
+hostsfile = "/etc/hosts"
+
+# Specifies the network timeout duration for each DNS lookup.
+timeout = "2s"
+
+# Defines the maximum duration to wait for each DNS query to respond.
+querytimeout = "10s"
+
+# Default error cache TTL in seconds.
+expire = 600
+
+# Cache size (total records in cache).
+cachesize = 256000
+
+# Cache prefetch before expire. The default threshold is 10%, 0 for disabled.
+# The threshold percent should be between 10% ~ 90%.
+prefetch = 10
+
+# Maximum iteration depth for a query.
+maxdepth = 30
+
+# Query-based ratelimit per second, 0 for disabled.
+ratelimit = 0
+
+# Client IP address-based ratelimit per minute, 0 for disabled.
+clientratelimit = 0
+
+# Manual blocklist entries.
+# blocklist = [
+#   "example.com",
+#   "example.net"
+# ]
+blocklist = [
+]
+
+# Whitelist entries.
+# whitelist = [
+#   "example.com",
+#   "example.net"
+# ]
+whitelist = [
+]
+
+# DNS server identifier (RFC 5001), it's useful while operating multiple sdns. Left blank for disabled.
+nsid = ""
+
+# Enable to answer version.server, version.bind, hostname.bind, id.server chaos queries.
+chaos = true
+
+# Qname minimization level. If higher, it can be more complex and impact the response performance.
+# If set to 0, qname minimization will be disabled.
+qname_min_level = 5
+
+# Empty zones return an answer for RFC 1918 zones. Please see http://as112.net/
+# for details of the problems you are causing and the countermeasures that have had to be deployed.
+# If the list is empty, SDNS will use default zones described at RFC.
+# emptyzones = [
+#   "10.in-addr.arpa."
+# ]
+emptyzones = [
+]
+
+# You can add your own plugins to sdns. The plugin order is very important.
+# Plugins can be loaded before the cache middleware.
+# Config keys should be strings, and values can be anything.
+# There is an example plugin at https://github.com/semihalev/sdnsexampleplugin
+# [plugins]
+#     [plugins.example]
+#     path = "exampleplugin.so"
+#     config = {key_1 = "value_1", key_2 = 2, key_3 = true}

ansible/inventory.example

@@ -0,0 +1,9 @@
+# vi: ft=yaml
+dnsserver:
+  hosts:
+    127.0.0.1:
+  vars:
+lb:
+  hosts:
+    127.0.0.1:
+  vars:

ansible/playbook.yml

@@ -0,0 +1,31 @@
+#vi ft: yaml.ansible
+---
+- hosts:
+   - dns_ord
+  tags: ["dns"]
+  tasks:
+  - import_tasks: ./tasks/debian.yml
+  - import_tasks: ./tasks/caddy.yml
+  - import_tasks: ./tasks/caddy-dns.yml
+  - import_tasks: ./tasks/dns.yml
+  handlers:
+    - name: restart sdns
+      service: name=sdns state=restarted enabled=yes
+      listen: "restart sdns"
+    - name: reload caddy
+      service: name=caddy state=restarted enabled=yes
+      listen: "reload caddy"
+- hosts: lb_ord
+  tags: ["lb"]
+  tasks:
+  - import_tasks: ./tasks/debian.yml
+  - import_tasks: ./tasks/caddy.yml
+  - import_tasks: ./tasks/caddy-lb.yml
+  - import_tasks: ./tasks/envoy.yml
+  handlers:
+    - name: reload caddy
+      service: name=caddy state=restarted enabled=yes
+      listen: "reload caddy"
+    - name: restart sshd
+      service: name=sshd state=restarted enabled=yes
+      listen: "restart sshd"

ansible/tasks/caddy-dns.yml

@@ -0,0 +1,6 @@
+# vi: ft=yaml.ansible
+- name: copy caddy config
+  template:
+    src: "{{ playbook_dir }}/files/dns.Caddyfile"
+    dest: "/etc/caddy/Caddyfile"
+  notify: "reload caddy"

ansible/tasks/caddy-lb.yml

@@ -0,0 +1,6 @@
+# vi: ft=yaml.ansible
+- name: copy caddy config
+  template:
+    src: "{{ playbook_dir }}/files/lb.Caddyfile"
+    dest: "/etc/caddy/Caddyfile"
+  notify: "reload caddy"

ansible/tasks/caddy.yml

@@ -0,0 +1,24 @@
+# vi: ft=yaml.ansible
+- name: install caddy
+  apt:
+    deb: https://github.com/caddyserver/caddy/releases/download/v2.8.4/caddy_2.8.4_linux_amd64.deb
+- name: ensure /run/caddy exists
+  file:
+    path: /run/caddy
+    state: directory
+    mode: '0755'
+    owner: caddy
+    group: caddy
+- name: ensure /var/www exists
+  file:
+    path: /var/www/site
+    state: directory
+    mode: '0755'
+    owner: caddy
+    group: caddy
+- name: copy index.html
+  template:
+    src: "{{ playbook_dir }}/assets/index.html"
+    dest: "/var/www/site/index.html"
+- name: ensure caddy is running
+  service: name=caddy state=started enabled=yes

ansible/tasks/debian.yml

@@ -0,0 +1,31 @@
+# vi: ft=yaml.ansible
+- name: update repos
+  become: true
+  apt:
+    upgrade: yes
+    update_cache: yes
+    cache_valid_time: 12800
+- pam_limits:
+    domain: '*'
+    limit_type: soft
+    limit_item: nofile
+    value: 1280000
+- name: install ntp
+  apt: pkg=ntp state=present
+- name: install vim
+  apt: pkg=vim state=present
+- name: install python3
+  apt: pkg=python3 state=present
+- name: install build-essential
+  apt: pkg=build-essential state=present
+- name: ensure ntp is running
+  service: name=ntp state=started enabled=yes
+- name: Disallow SSH password authentication
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    regexp: "^PasswordAuthentication"
+    line: "PasswordAuthentication no"
+    state: present
+    validate: sshd -t -f %s
+  notify:
+    - restart sshd

ansible/tasks/dns.yml

@@ -0,0 +1,10 @@
+- name: install sdns
+  apt:
+    deb: https://github.com/semihalev/sdns/releases/download/v1.3.7/sdns_1.3.7_x86_64.deb
+- name: copy sdns config
+  copy:
+    src: "{{ playbook_dir }}/files/sdns.conf"
+    dest: "/etc/sdns.conf"
+  notify: "restart sdns"
+- name: ensure sdns is running
+  service: name=sdns state=started enabled=yes