noot

ansible/ansible.cfg

@@ -1,2 +1,5 @@
 [defaults]
 nocows=true
+fact_caching=jsonfile
+fact_caching_connection=/tmp/ansible_facts_cache
+fact_caching_timeout=86400

ansible/files/Caddyfile

@@ -8,7 +8,7 @@
 
 {{hostvars[inventory_hostname]['public_dns']}} mydns.gay {
 	handle /dns-query* {
-		reverse_proxy h2c://127.0.0.1:8053 {
+		reverse_proxy http://127.0.0.1:8053 {
 			lb_retries 			5
 			lb_try_duration 5s
 			lb_try_interval 500ms

ansible/files/alloy.river

@@ -2,6 +2,57 @@ logging {
   level = "info"
 }
 
+// Prometheus remote write endpoint
+prometheus.remote_write "put_gay" {
+  endpoint {
+    url = "https://vm.put.gay/api/v1/write"
+    basic_auth {
+      username = "ingest"
+      password = "{{hostvars[inventory_hostname].metrics_password}}"
+    }
+    write_relabel_config {
+      target_label = "host"
+      replacement = "{{hostvars[inventory_hostname].public_dns}}"
+    }
+  }
+}
+
+// Scrape node_exporter
+prometheus.scrape "node_exporter" {
+  targets = [
+    {"__address__" = "localhost:9100", "target" = "node_exporter"},
+  ]
+  forward_to = [prometheus.remote_write.put_gay.receiver]
+  scrape_interval = "5s"
+}
+
+// Scrape sdns
+prometheus.scrape "sdns" {
+  targets = [
+    {"__address__" = "localhost:8053", "target" = "sdns"},
+  ]
+  forward_to = [prometheus.remote_write.put_gay.receiver]
+  scrape_interval = "5s"
+}
+
+// Scrape caddy
+prometheus.scrape "caddy" {
+  targets = [
+    {"__address__" = "localhost:2019", "target" = "caddy"},
+  ]
+  forward_to = [prometheus.remote_write.put_gay.receiver]
+  scrape_interval = "5s"
+}
+
+// Scrape dnsdist
+prometheus.scrape "dnsdist" {
+  targets = [
+    {"__address__" = "localhost:6060", "target" = "dnsdist"},
+  ]
+  forward_to = [prometheus.remote_write.put_gay.receiver]
+  scrape_interval = "5s"
+}
+
 loki.write "default" {
   endpoint {
     url = "https://loki.put.gay/loki/api/v1/push"

ansible/files/blocky.service

@@ -3,11 +3,13 @@ Description=Blocky is a DNS proxy and ad-blocker
 ConditionPathExists=/opt/blocky
 After=local-fs.target
 [Service]
-User=blocky
-Group=blocky
+User=caddy
+Group=caddy
 Type=simple
 WorkingDirectory=/opt/blocky
-ExecStart=/opt/blocky/blocky --config /opt/blocky/config.yml
+ExecStart=/opt/blocky/blocky --config /etc/blocky/blocky.yml
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 Restart=on-failure
 RestartSec=10
 StandardOutput=syslog

ansible/files/blocky.yml

@@ -1,14 +1,8 @@
 upstream:
   default:
-    - 127.0.0.1:53
-    # example for DNS-over-TLS server (DoT)
-##    - tcp-tls:fdns1.dismail.de:853
-    # example for DNS-over-HTTPS (DoH)
-##    - https://dns.digitale-gesellschaft.ch/dns-query
-  # optional: use client name (with wildcard support: * - sequence of any characters, [0-9] - range)
-  # or single ip address / client subnet as CIDR notation
-##  laptop*:
-##    - 123.123.123.123
+{% for _host in groups['dns_ord'] if hostvars[_host].internal_ip is defined %}
+    - {{ hostvars[_host].internal_ip }}:1053
+{% endfor %}
 
 # optional: timeout to query the upstream resolver. Default: 2s
 upstreamTimeout: 2s
@@ -48,33 +42,7 @@ connectIPVersion: dual
 ##    fritz.box: 192.168.178.1
 ##    lan.net: 192.168.178.1,192.168.178.2
 
-# optional: use black and white lists to block queries (for example ads, trackers, adult pages etc.)
-blocking:
-  # definition of blacklist groups. Can be external link (http/https) or local file
-  blackLists:
-    ads:
-      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
-      - https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
-  clientGroupsBlock:
-    # default will be used, if no special definition for a client name exists
-    default:
-      - ads
-  blockType: nxDomain
-  # optional: TTL for answers to blocked domains
-  # default: 6h
-  blockTTL: 2h
-  # optional: automatically list refresh period (in duration format). Default: 4h.
-  # Negative value -> deactivate automatically refresh.
-  # 0 value -> use default
-  refreshPeriod: 12h
-  # optional: timeout for list download (each url). Default: 60s. Use large values for big lists or slow internet connections
-  downloadTimeout: 4m
-  # optional: Download attempt timeout. Default: 60s
-  downloadAttempts: 5
-  # optional: Time between the download attempts. Default: 1s
-  downloadCooldown: 10s
-  # optional: if failOnError, application startup will fail if at least one list can't be downloaded / opened. Default: blocking
-  startStrategy: failOnError
+# blocking disabled - no blocklists configured
 
 # optional: configuration for caching of DNS responses
 caching:
@@ -172,11 +140,10 @@ prometheus:
 ##    - redis-sentinel2:26379
 ##    - redis-sentinel3:26379
 
-# optional: Mininal TLS version that the DoH and DoT server will use
+# TLS configuration for DoT
 minTlsServeVersion: 1.3
-# if https port > 0: path to cert and key file for SSL encryption. if not set, self-signed certificate will be generated
-#certFile: server.crt
-#keyFile: server.key
+certFile: /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydns.gay/mydns.gay.crt
+keyFile: /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydns.gay/mydns.gay.key
 # optional: use these DNS servers to resolve blacklist urls and upstream DNS servers. It is useful if no system DNS resolver is configured, and/or to encrypt the bootstrap queries.
 bootstrapDns:
 ##  - tcp+udp:1.1.1.1
@@ -201,16 +168,14 @@ bootstrapDns:
   # optional: Whether loopback hosts addresses (127.0.0.0/8 and ::1) should be filtered or not, default: false
 ##  filterLoopback: true
 
-# optional: ports configuration
-##port:
-  # optional: DNS listener port(s) and bind ip address(es), default 53 (UDP and TCP). Example: 53, :53, "127.0.0.1:5353,[::1]:5353"
-port: 53
-  # optional: Port(s) and bind ip address(es) for DoT (DNS-over-TLS) listener. Example: 853, 127.0.0.1:853
-##  tls: 853
-  # optional: Port(s) and optional bind ip address(es) to serve HTTPS used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:443. Example: 443, :443, 127.0.0.1:443,[::1]:443
-##  https: 443
-##  # optional: Port(s) and optional bind ip address(es) to serve HTTP used for prometheus metrics, pprof, REST API, DoH... If you wish to specify a specific IP, you can do so such as 192.168.0.1:4000. Example: 4000, :4000, 127.0.0.1:4000,[::1]:4000
-httpPort: 4000
+# ports configuration
+ports:
+  # DNS listener port
+  dns: 53
+  # DoT (DNS-over-TLS) listener
+  tls: 853
+  # HTTP port for metrics, REST API, and DoH
+  http: 127.0.0.1:8053
 
 # optional: logging configuration
 ##log:

ansible/files/dnsdist.conf

@@ -4,7 +4,7 @@ newServer({address="{{ hostvars[_host].internal_ip }}:1053", pool="sdns"})
 
 setServerPolicy(leastOutstanding)
 
-pc = newPacketCache(12800, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
+pc = newPacketCache(12800, {maxTTL=6000, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
 getPool("sdns"):setCache(pc)
 
 
@@ -22,6 +22,7 @@ addAction(MaxQPSIPRule(5, 32, 48, 20), DelayAction(100))
 webserver("127.0.0.1:6060")
 setWebserverConfig({ statsRequireAuthentication=false })
 setLocal("0.0.0.0:53")
+addLocal("[::]:53")
 
 -- proxied by caddy
 addDOHLocal("127.0.0.1:8053", nil, nil, "/dns-query", { reusePort=true, trustForwardedForHeader=true })

ansible/handlers/global.yml

@@ -4,9 +4,6 @@
 - name: restart sshd
   service: name=sshd state=restarted enabled=yes
   listen: "restart sshd"
-- name: restart dnsdist
-  service: name=dnsdist-public state=restarted enabled=yes daemon-reload=true
-  listen: "restart dnsdist"
 - name: restart prometheus
   service: name=prometheus state=restarted enabled=yes
   listen: "restart prometheus"

ansible/playbook.yml

@@ -6,29 +6,24 @@
   tasks:
   - import_tasks: ./tasks/debian.yml
   - import_tasks: ./tasks/dns.yml
-  - import_tasks: ./tasks/prometheus.yml
+  # - import_tasks: ./tasks/prometheus.yml  # Replaced by Alloy
   - import_tasks: ./tasks/alloy.yml
   handlers:
     - import_tasks: ./handlers/global.yml
 - hosts: lb_ord
   tags: ["lb"]
   tasks:
-  - import_tasks: ./tasks/prometheus.yml
+  # - import_tasks: ./tasks/prometheus.yml  # Replaced by Alloy
   - import_tasks: ./tasks/debian.yml
   - import_tasks: ./tasks/blocky.yml
-  - import_tasks: ./tasks/dnsdist.yml
   - import_tasks: ./tasks/caddy.yml
   - import_tasks: ./tasks/alloy.yml
-  - name: copy dnsdist service override
-    template:
-      src: "{{ playbook_dir }}/files/dnsdist.service"
-      dest:  /etc/systemd/system/dnsdist-public.service
-    notify: "restart dnsdist"
-  - name: copy dnsdist config
-    template:
-      src: "{{ playbook_dir }}/files/dnsdist.conf"
-      dest: "/etc/dnsdist/dnsdist.conf"
-    notify: "restart dnsdist"
+  - name: stop and disable dnsdist-public service
+    service: 
+      name: dnsdist-public
+      state: stopped
+      enabled: no
+    ignore_errors: yes
   - name: copy blocky config
     template:
       src: "{{ playbook_dir }}/files/blocky.yml"

ansible/tasks/alloy.yml

@@ -1,16 +1,41 @@
 ---
+- name: Stop and disable Prometheus services
+  block:
+    - name: Stop and disable prometheus
+      ansible.builtin.service:
+        name: prometheus
+        state: stopped
+        enabled: no
+      ignore_errors: yes
+
+    - name: Stop and disable prometheus-node-exporter
+      ansible.builtin.service:
+        name: prometheus-node-exporter
+        state: stopped
+        enabled: no
+      ignore_errors: yes
+
 - name: Install Grafana Alloy
   block:
-    - name: Add Grafana GPG apt key
-      ansible.builtin.apt_key:
+    - name: Create keyrings directory
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+        mode: '0755'
+
+    - name: Download Grafana GPG key
+      ansible.builtin.get_url:
         url: https://apt.grafana.com/gpg.key
-        state: present
+        dest: /etc/apt/keyrings/grafana.asc
+        mode: '0644'
+        force: yes
 
     - name: Add Grafana repository
       ansible.builtin.apt_repository:
-        repo: "deb https://apt.grafana.com stable main"
+        repo: "deb [signed-by=/etc/apt/keyrings/grafana.asc] https://apt.grafana.com stable main"
         state: present
         update_cache: yes
+        filename: grafana
 
     - name: Install Alloy
       ansible.builtin.apt:

ansible/tasks/blocky.yml

@@ -1,36 +1,29 @@
 # vi: ft=yaml.ansible
-- name: create blocky group
-  group:
-    name: blocky
-    state: present
-- name: create blocky user
-  user:
-    name: blocky
-    group: blocky
 - name: ensure /opt/blocky exists
   file:
     path: /opt/blocky
     state: directory
     mode: '0755'
-    owner: blocky
-    group: blocky
+    owner: caddy
+    group: caddy
 - name: ensure /etc/blocky exists
   file:
     path: /etc/blocky
     state: directory
     mode: '0755'
-    owner: blocky
-    group: blocky
-- name: install dnsproxy
+    owner: caddy
+    group: caddy
+- name: install blocky
   unarchive:
     src: https://github.com/0xERR0R/blocky/releases/download/v0.24/blocky_v0.24_Linux_x86_64.tar.gz
     dest: /opt/blocky
     include:
       - blocky
     remote_src: yes
-      #- name: setup service
-      #  copy:
-      #    src: "{{ playbook_dir }}/files/Caddyfile"
-      #    dest: /etc/systemd/system/blocky.service
-      #- name: ensure dnsproxy is running
-      #  service: name=dnscrypt-proxy state=started enabled=yes daemon-reload=true
+- name: setup blocky service
+  copy:
+    src: "{{ playbook_dir }}/files/blocky.service"
+    dest: /etc/systemd/system/blocky.service
+  notify: "reload systemd"
+- name: ensure blocky is running
+  service: name=blocky state=started enabled=yes daemon-reload=true

ansible/tasks/dns.yml

@@ -1,6 +1,6 @@
 - name: install sdns
   apt:
-    deb: https://github.com/semihalev/sdns/releases/download/v1.3.7/sdns_1.3.7_x86_64.deb
+    deb: https://github.com/semihalev/sdns/releases/download/v1.6.0/sdns_1.6.0_x86_64.deb
 - name: copy sdns config
   copy:
     src: "{{ playbook_dir }}/files/sdns.conf"