Skip to content
Snippets Groups Projects
Verified Commit afb582b1 authored by Evangelos Foutras's avatar Evangelos Foutras :smiley_cat:
Browse files

geomirror: extract acme dns challenge into new role

- add the new role to redirect.archlinux.org
- release mirror.pkgbuild.com of all DNS duties
parent 79449811
No related branches found
No related tags found
1 merge request!574Implement generalized support for geo domains
Showing
with 110 additions and 73 deletions
......@@ -85,7 +85,6 @@ So to set up this server from scratch, run:
### Services
- Regular mirror.
- Running a authoritative DNS server (PowerDNS) for our GeoIP mirror
## reproducible.archlinux.org
......@@ -135,6 +134,7 @@ Prometheus, and Grafana server which receives selected performance/metrics from
### Services
- Redirects (nginx redirects)
- Authoritative DNS server (PowerDNS) for ACME DNS challenges
- ping
## security.archlinux.org
......
geo_acme_dns_challenge_ns: redirect.archlinux.org
geo_domains:
- geo.mirror.pkgbuild.com
geo_health_check_paths:
geo.mirror.pkgbuild.com: /lastupdate
---
certbot_dns_support: true
geo_mirror_domain: "geo.mirror.pkgbuild.com"
../../host_vars/redirect.archlinux.org/vault_certbot.yml
\ No newline at end of file
---
archweb_db_host: "{{ hostvars['archlinux.org']['wireguard_address'] }}"
geo_mirror_domain: "geo.mirror.pkgbuild.com"
# raise tcp window limits to 32MiB
tcp_rmem: "10240 87380 33554432"
......
$ANSIBLE_VAULT;1.1;AES256
33353333666434623961613663633633383731373033316562663738626365613338376533353063
6630303162373830353863393932363365666130346235340a653238636534636266633137313435
38386562313930373762386635346264363839623239616662663733636262326331656365643732
3861396531336463320a623339333461316132666333326136326561633966636136346636303662
31353932303931666361333038356363633234343130633831636632383063313135616633343263
38383562326464363061633031636263313534363035656230323137303663653966346231336535
36653835626632393232633538616365383532643830636633666635393335336538356631353039
66363836653935316664353161363038376562333764613062316536643034623436303337396639
64316234623830613739303866653139316362663461376132616464613432303734373761373434
65323965623431376665353338316531346363303338613863633030656136643933363331396539
66663362346530643332386436653663336564623664303838386637353061376561626364383433
37616133643861646536363535613133366664643764356665343162623439333462323634386134
66343335656334356466636430613634393235613462666362656632316665663235346233363435
64343031376230393735333761376561393838633734646434626333306666373231353461343561
38666266666230383330306566653438633566613565386565383565356532653438376234356233
62373434656634343061333535663135396432383039306566626636666163356534306665623765
33363030356637376462323934313731326236623765613666356165336165313366
---
mirror_domain: mirror.pkgbuild.com
mirror_debug_packages: false
geomirror_acme_challenge: true
archweb_mirrorcheck_locations: [20, 21]
filesystem: btrfs
......
......@@ -2,3 +2,6 @@
filesystem: btrfs
wireguard_address: 10.0.0.25
wireguard_public_key: n11Ps2sc0Cxsi1sLaYFq7dkhlDtTnOZCGovRYbzDGR8=
ipv4_address: "95.216.195.133"
ipv6_address: "2a01:4f9:c010:2636::1"
$ANSIBLE_VAULT;1.1;AES256
39626637376631343762626362663831313061353261646164316339663936363938396561363864
3761623339613362373235326161303736303634333564350a393861623461316661646239393935
64333234383435313865653463616139393562633735616331343964623032326534393138616161
6462616265666633380a393862646464373438633835383239623435373636613964623839663939
39373638356461383331393732626665373436653137373666303465666632383133333237386564
61353965333432323432383365313263336234366163363330663234656530326265373530663238
37353561663035363239653763383731313062646538383839383831306562336335363236373036
33613562623661343965626164386332306164373861316561383239666261393464656536373062
35646637303036333138643966383239666564323539653866373738346565346238323266376434
39383064343164373537353866363834663066363333343035373832653261353966653662333736
32626662636330313261643636663233353536396136353263666461616630393164316435613264
64643563333337396439643036623739303766313661316266343962386630316366346432376537
66333863343362323362356333613064613333653161663564616234363263373863663530353038
37316661376435373239643035343664653133363862323536613164386136376164663763316362
63646363326333663637613761373032383135393331663361363462386631653266336532663938
36363135316634383062613562306332663363383630323762333334346339346161393536353466
30656162633164376635313839646633663133343736386630383439666636613963
......@@ -15,4 +15,4 @@
- { role: promtail }
- { role: fail2ban }
- { role: wireguard }
- { role: geomirror, when: "inventory_hostname == 'mirror.pkgbuild.com' or 'geo_mirrors' in group_names" }
- { role: geomirror, when: "'geo_mirrors' in group_names" }
......@@ -14,3 +14,4 @@
- { role: promtail }
- { role: hardening }
- { role: ping }
- { role: acme_dns_challenge }
---
- name: restart powerdns
service: name=pdns state=restarted
---
- name: install powerdns
pacman: name=powerdns state=present
- name: install PowerDNS configuration
template: src={{ item.src }} dest=/etc/powerdns/{{ item.dest }} owner=root group=root mode=0644
loop:
- {src: pdns.conf.j2, dest: pdns.conf}
- {src: dnsupdate-policy.lua.j2, dest: dnsupdate-policy.lua}
notify: restart powerdns
- name: create directory for sqlite3 dbs
file: path=/var/lib/powerdns state=directory owner=powerdns group=powerdns mode=0755
- name: initialize sqlite3 database for _acme-challenge zones
command: sqlite3 -init /usr/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3 ""
become: true
become_user: powerdns
args:
creates: /var/lib/powerdns/pdns.sqlite3
- name: create _acme-challenge zones
shell: |
pdnsutil create-zone _acme-challenge.{{ item }} {{ inventory_hostname }}
pdnsutil replace-rrset _acme-challenge.{{ item }} @ SOA "{{ inventory_hostname }}. root.archlinux.org. 0 10800 3600 604800 3600"
loop: "{{ geo_domains }}"
become: true
become_user: powerdns
changed_when: false
- name: import TSIG key (for certbot)
command: pdnsutil import-tsig-key {{ certbot_rfc2136_key }} {{ certbot_rfc2136_algorithm }} {{ certbot_rfc2136_secret }}
changed_when: false
- name: open powerdns ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
tags:
- firewall
- name: open firewall hole
ansible.posix.firewalld: service=dns permanent=true state=enabled immediate=yes
- name: start and enable powerdns
systemd: name=pdns.service enabled=yes daemon_reload=yes state=started
#jinja2: lstrip_blocks: True
-- Based on https://github.com/PowerDNS/pdns/wiki/Lua-Examples-(Authoritative)#updatepolicy-access-control-for-rfc2136-dynamic-updates
function updatepolicy(input)
acme_challenge_rrname = "_acme-challenge.{{ geo_mirror_domain }}."
valid_rrnames = {
{% for domain in geo_domains %}
["_acme-challenge.{{ domain }}."]=true,
{% endfor %}
}
-- only allow updates from our servers
mynetworks = newNMG()
......@@ -26,7 +31,7 @@ function updatepolicy(input)
end
-- only accept TXT record updates for _acme_challenge
if input:getQType() == pdns.TXT and input:getQName():toString() == acme_challenge_rrname
if input:getQType() == pdns.TXT and valid_rrnames[input:getQName():toString()]
then
pdnslog("updatepolicy: query checks successful", pdns.loglevels.Info)
return true
......
setgid=powerdns
setuid=powerdns
local-address={{ ipv4_address }},{{ ipv6_address }}
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=127.0.0.1,::1,{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}
launch=gsqlite3
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
dnsupdate=yes
lua-dnsupdate-policy-script=/etc/powerdns/dnsupdate-policy.lua
---
geomirror_acme_challenge: false
......@@ -7,36 +7,8 @@
loop:
- {src: pdns.conf.j2, dest: pdns.conf}
- {src: geo.yml.j2, dest: geo.yml}
- {src: dnsupdate-policy.lua.j2, dest: dnsupdate-policy.lua}
notify: restart powerdns
- name: create directory for sqlite3 dbs
file: path=/var/lib/powerdns state=directory owner=powerdns group=powerdns mode=0755
when: geomirror_acme_challenge
- name: initialize sqlite3 database for _acme-challenge zone
command: sqlite3 -init /usr/share/doc/powerdns/schema.sqlite3.sql /var/lib/powerdns/pdns.sqlite3 ""
become: true
become_user: powerdns
args:
creates: /var/lib/powerdns/pdns.sqlite3
register: init
when: geomirror_acme_challenge
- name: create _acme-challenge zone
command: "{{ item }}"
loop:
- pdnsutil create-zone _acme-challenge.{{ geo_mirror_domain }} mirror.pkgbuild.com
- pdnsutil replace-rrset _acme-challenge.{{ geo_mirror_domain }} @ SOA "mirror.pkgbuild.com. root.archlinux.org. 0 10800 3600 604800 3600"
become: true
become_user: powerdns
when: init.changed
- name: import TSIG key (for certbot)
command: pdnsutil import-tsig-key {{ certbot_rfc2136_key }} {{ certbot_rfc2136_algorithm }} {{ certbot_rfc2136_secret }}
changed_when: false
when: geomirror_acme_challenge
- name: open powerdns ipv4 port for monitoring.archlinux.org
ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=8081 accept"
......
#jinja2:lstrip_blocks: True
---
domains:
- domain: {{ geo_mirror_domain }}
{% for domain in geo_domains %}
- domain: {{ domain }}
ttl: 3600
records:
{{ geo_mirror_domain }}:
- soa: mirror.pkgbuild.com. root.archlinux.org. 2022042701 3600 1800 604800 3600
{% for host in groups['geo_mirrors'] + ['mirror.pkgbuild.com'] %}
{{ domain }}:
- soa: {{ groups['geo_mirrors'] | first }}. root.archlinux.org. 2022042701 3600 1800 604800 3600
{% for host in groups['geo_mirrors'] %}
- ns:
ttl: 86400
content: {{ host }}
......@@ -14,16 +15,15 @@ domains:
- lua:
ttl: 300
content: >
A "ifurlup('https://{{ geo_mirror_domain }}/lastupdate',
A "ifurlup('https://{{ domain }}{{ geo_health_check_paths[domain] | default('/') }}',
{'{{ groups['geo_mirrors'] | map('extract', hostvars, ['ipv4_address']) | join("', '") }}'},
{selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})"
- lua:
ttl: 300
content: >
AAAA "ifurlup('https://{{ geo_mirror_domain }}/lastupdate',
AAAA "ifurlup('https://{{ domain }}{{ geo_health_check_paths[domain] | default('/') }}',
{'{{ groups['geo_mirrors'] | map('extract', hostvars, ['ipv6_address']) | join("', '") }}'},
{selector='pickclosest', useragent='pdns on {{ inventory_hostname }}'})"
{% if not geomirror_acme_challenge %}
_acme-challenge.{{ geo_mirror_domain }}:
- ns: mirror.pkgbuild.com
{% endif %}
_acme-challenge.{{ domain }}:
- ns: {{ geo_acme_dns_challenge_ns }}
{% endfor %}
......@@ -4,14 +4,7 @@ local-address={{ ipv4_address }},{{ ipv6_address }}
webserver=yes
webserver-address=0.0.0.0
webserver-allow-from=127.0.0.1,::1,{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}
{% if geomirror_acme_challenge %}
launch=geoip,gsqlite3
gsqlite3-database=/var/lib/powerdns/pdns.sqlite3
dnsupdate=yes
lua-dnsupdate-policy-script=/etc/powerdns/dnsupdate-policy.lua
{% else %}
launch=geoip
{% endif %}
geoip-database-files=/var/lib/GeoIP/GeoLite2-City.mmdb
geoip-zones-file=/etc/powerdns/geo.yml
enable-lua-records
......
......@@ -75,8 +75,8 @@ blackbox_targets:
smtp_starttls:
- mail.archlinux.org:25
- lists.archlinux.org:25
dns_geomirror_a: "{{ groups['geo_mirrors'] + ['mirror.pkgbuild.com'] }}"
dns_geomirror_aaaa: "{{ groups['geo_mirrors'] + ['mirror.pkgbuild.com'] }}"
dns_geomirror_a: "{{ groups['geo_mirrors'] }}"
dns_geomirror_aaaa: "{{ groups['geo_mirrors'] }}"
matrix_metrics_endpoints:
- homeserver
- appservice
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment