From b03d12bbc3a2ac112ab555da5ce3a665351b8a2f Mon Sep 17 00:00:00 2001 From: Lino Silva Date: Tue, 9 Dec 2025 11:24:57 +0000 Subject: [PATCH] feat: Add techtinium dns nodes --- inventory/my-cluster/group_vars/all.yml | 10 ++++ inventory/my-cluster/host_vars/technitium-dns | 6 +++ .../my-cluster/host_vars/technitium-dns-2 | 6 +++ .../my-cluster/host_vars/technitium-dns-3 | 6 +++ inventory/my-cluster/hosts.ini | 11 ++-- playbook-49-technitium-dns.yml | 27 ++++++++++ playbook-50-technitium-dns-2.yml | 27 ++++++++++ playbook-51-technitium-dns-3.yml | 27 ++++++++++ .../enable-ssh/tasks/main.yml | 12 +++++ .../install-app/tasks/main.yml | 20 ++++++++ .../install-app/templates/docker-compose.yml | 51 +++++++++++++++++++ .../install-docker/tasks/main.yml | 27 ++++++++++ .../provision/create/tasks/main.yml | 30 +++++++++++ .../provision/delete/tasks/main.yml | 27 ++++++++++ .../provision/start/tasks/main.yml | 8 +++ roles/49-technitium-dns/update/tasks/main.yml | 6 +++ .../enable-ssh/tasks/main.yml | 12 +++++ .../install-app/tasks/main.yml | 20 ++++++++ .../install-app/templates/docker-compose.yml | 51 +++++++++++++++++++ .../install-docker/tasks/main.yml | 27 ++++++++++ .../provision/create/tasks/main.yml | 30 +++++++++++ .../provision/delete/tasks/main.yml | 27 ++++++++++ .../provision/start/tasks/main.yml | 8 +++ .../50-technitium-dns-2/update/tasks/main.yml | 6 +++ .../enable-ssh/tasks/main.yml | 12 +++++ .../install-app/tasks/main.yml | 20 ++++++++ .../install-app/templates/docker-compose.yml | 51 +++++++++++++++++++ .../install-docker/tasks/main.yml | 27 ++++++++++ .../provision/create/tasks/main.yml | 30 +++++++++++ .../provision/delete/tasks/main.yml | 27 ++++++++++ .../provision/start/tasks/main.yml | 8 +++ .../51-technitium-dns-3/update/tasks/main.yml | 6 +++ 32 files changed, 659 insertions(+), 4 deletions(-) create mode 100644 inventory/my-cluster/host_vars/technitium-dns create mode 100644 inventory/my-cluster/host_vars/technitium-dns-2 create mode 100644 inventory/my-cluster/host_vars/technitium-dns-3 create mode 100644 playbook-49-technitium-dns.yml create mode 100644 playbook-50-technitium-dns-2.yml create mode 100644 playbook-51-technitium-dns-3.yml create mode 100644 roles/49-technitium-dns/enable-ssh/tasks/main.yml create mode 100644 roles/49-technitium-dns/install-app/tasks/main.yml create mode 100644 roles/49-technitium-dns/install-app/templates/docker-compose.yml create mode 100644 roles/49-technitium-dns/install-docker/tasks/main.yml create mode 100644 roles/49-technitium-dns/provision/create/tasks/main.yml create mode 100644 roles/49-technitium-dns/provision/delete/tasks/main.yml create mode 100644 roles/49-technitium-dns/provision/start/tasks/main.yml create mode 100644 roles/49-technitium-dns/update/tasks/main.yml create mode 100644 roles/50-technitium-dns-2/enable-ssh/tasks/main.yml create mode 100644 roles/50-technitium-dns-2/install-app/tasks/main.yml create mode 100644 roles/50-technitium-dns-2/install-app/templates/docker-compose.yml create mode 100644 roles/50-technitium-dns-2/install-docker/tasks/main.yml create mode 100644 roles/50-technitium-dns-2/provision/create/tasks/main.yml create mode 100644 roles/50-technitium-dns-2/provision/delete/tasks/main.yml create mode 100644 roles/50-technitium-dns-2/provision/start/tasks/main.yml create mode 100644 roles/50-technitium-dns-2/update/tasks/main.yml create mode 100644 roles/51-technitium-dns-3/enable-ssh/tasks/main.yml create mode 100644 roles/51-technitium-dns-3/install-app/tasks/main.yml create mode 100644 roles/51-technitium-dns-3/install-app/templates/docker-compose.yml create mode 100644 roles/51-technitium-dns-3/install-docker/tasks/main.yml create mode 100644 roles/51-technitium-dns-3/provision/create/tasks/main.yml create mode 100644 roles/51-technitium-dns-3/provision/delete/tasks/main.yml create mode 100644 roles/51-technitium-dns-3/provision/start/tasks/main.yml create mode 100644 roles/51-technitium-dns-3/update/tasks/main.yml diff --git a/inventory/my-cluster/group_vars/all.yml b/inventory/my-cluster/group_vars/all.yml index 2413389..642a0d1 100644 --- a/inventory/my-cluster/group_vars/all.yml +++ b/inventory/my-cluster/group_vars/all.yml @@ -419,3 +419,13 @@ graylog_password_secret: !vault | 34663031333031396239386361323539613837383230366165653664396135633563633265376333 64346366386136383233613533386437376263653736333437373466353465333339373365376663 336434663137336232636133623132653237 + +technitium_web_admin: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 65313430343864303431623031393535376535666130306139626162336439383464333739623463 + 3839323438323532636631643635653566643037643365610a313237633637613131376338356666 + 35323230303636663265656664333632306365623733623232336631333032656638346538636431 + 3931383564353136640a353634363338646437616565623766653330353662663263663138646531 + 35613361306332616464336232323562643463366139313431336436653536393062663761356337 + 66306532353138663762653338646339613038363035303064666433336333633531626666393239 + 653738616662366532653061326632663333 diff --git a/inventory/my-cluster/host_vars/technitium-dns b/inventory/my-cluster/host_vars/technitium-dns new file mode 100644 index 0000000..f4c7eef --- /dev/null +++ b/inventory/my-cluster/host_vars/technitium-dns @@ -0,0 +1,6 @@ +--- + +ansible_user: root +ansible_host: 10.0.2.49 +ansible_ssh_pass: "{{ proxmox_api_password }}" +vmid: 649 diff --git a/inventory/my-cluster/host_vars/technitium-dns-2 b/inventory/my-cluster/host_vars/technitium-dns-2 new file mode 100644 index 0000000..54c7f81 --- /dev/null +++ b/inventory/my-cluster/host_vars/technitium-dns-2 @@ -0,0 +1,6 @@ +--- + +ansible_user: root +ansible_host: 10.0.2.50 +ansible_ssh_pass: "{{ proxmox_api_password }}" +vmid: 650 diff --git a/inventory/my-cluster/host_vars/technitium-dns-3 b/inventory/my-cluster/host_vars/technitium-dns-3 new file mode 100644 index 0000000..1830bf2 --- /dev/null +++ b/inventory/my-cluster/host_vars/technitium-dns-3 @@ -0,0 +1,6 @@ +--- + +ansible_user: root +ansible_host: 10.0.2.51 +ansible_ssh_pass: "{{ proxmox_api_password }}" +vmid: 651 diff --git a/inventory/my-cluster/hosts.ini b/inventory/my-cluster/hosts.ini index 8b27e83..2dfb777 100644 --- a/inventory/my-cluster/hosts.ini +++ b/inventory/my-cluster/hosts.ini @@ -18,17 +18,20 @@ paperless minio outline #nginx-proxy-manager -upsnap +#upsnap #geoguessr ghostfolio -graylog -jellyfin +#graylog +#jellyfin convertx -nocodb +#nocodb super-productivity droposs ghost dawarich +technitium-dns +technitium-dns-2 +technitium-dns-3 [baremetal] mipha diff --git a/playbook-49-technitium-dns.yml b/playbook-49-technitium-dns.yml new file mode 100644 index 0000000..a9c4885 --- /dev/null +++ b/playbook-49-technitium-dns.yml @@ -0,0 +1,27 @@ +--- +- hosts: localhost + become: yes + roles: + - role: 49-technitium-dns/provision/delete + vars: + vmid: 649 + - role: 49-technitium-dns/provision/create + vars: + vmid: 649 + - role: 49-technitium-dns/provision/start + vars: + vmid: 649 + +- hosts: mipha + become: yes + roles: + - role: 49-technitium-dns/enable-ssh + vars: + vmid: 649 + +- hosts: technitium-dns + become: yes + roles: + - role: 49-technitium-dns/update + - role: 49-technitium-dns/install-docker + - role: 49-technitium-dns/install-app diff --git a/playbook-50-technitium-dns-2.yml b/playbook-50-technitium-dns-2.yml new file mode 100644 index 0000000..959163f --- /dev/null +++ b/playbook-50-technitium-dns-2.yml @@ -0,0 +1,27 @@ +--- +- hosts: localhost + become: yes + roles: + - role: 50-technitium-dns-2/provision/delete + vars: + vmid: 650 + - role: 50-technitium-dns-2/provision/create + vars: + vmid: 650 + - role: 50-technitium-dns-2/provision/start + vars: + vmid: 650 + +- hosts: purah + become: yes + roles: + - role: 50-technitium-dns-2/enable-ssh + vars: + vmid: 650 + +- hosts: technitium-dns-2 + become: yes + roles: + - role: 50-technitium-dns-2/update + - role: 50-technitium-dns-2/install-docker + - role: 50-technitium-dns-2/install-app diff --git a/playbook-51-technitium-dns-3.yml b/playbook-51-technitium-dns-3.yml new file mode 100644 index 0000000..b068356 --- /dev/null +++ b/playbook-51-technitium-dns-3.yml @@ -0,0 +1,27 @@ +--- +- hosts: localhost + become: yes + roles: + - role: 51-technitium-dns-3/provision/delete + vars: + vmid: 651 + - role: 51-technitium-dns-3/provision/create + vars: + vmid: 651 + - role: 51-technitium-dns-3/provision/start + vars: + vmid: 651 + +- hosts: sidon + become: yes + roles: + - role: 51-technitium-dns-3/enable-ssh + vars: + vmid: 651 + +- hosts: technitium-dns-3 + become: yes + roles: + - role: 51-technitium-dns-3/update + - role: 51-technitium-dns-3/install-docker + - role: 51-technitium-dns-3/install-app diff --git a/roles/49-technitium-dns/enable-ssh/tasks/main.yml b/roles/49-technitium-dns/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..58e9986 --- /dev/null +++ b/roles/49-technitium-dns/enable-ssh/tasks/main.yml @@ -0,0 +1,12 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Pause for 10 seconds to wait for SSH server + ansible.builtin.pause: + seconds: 10 + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 649 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 649 service ssh restart diff --git a/roles/49-technitium-dns/install-app/tasks/main.yml b/roles/49-technitium-dns/install-app/tasks/main.yml new file mode 100644 index 0000000..3aa3110 --- /dev/null +++ b/roles/49-technitium-dns/install-app/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Create directory for docker-compose + ansible.builtin.file: + path: /root/docker/ + state: directory + mode: "0755" + +- name: Copy docker-compose file + template: + src: "docker-compose.yml" + dest: /root/docker/docker-compose.yml + owner: root + group: root + mode: 0755 + +- name: Run docker-compose + ansible.builtin.shell: + args: + cmd: docker compose up -d + chdir: /root/docker/ diff --git a/roles/49-technitium-dns/install-app/templates/docker-compose.yml b/roles/49-technitium-dns/install-app/templates/docker-compose.yml new file mode 100644 index 0000000..5c39eae --- /dev/null +++ b/roles/49-technitium-dns/install-app/templates/docker-compose.yml @@ -0,0 +1,51 @@ +services: + dns-server: + container_name: dns-server + hostname: dns-server + image: technitium/dns-server:latest + # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them + # network_mode: "host" + ports: + - "5380:5380/tcp" #DNS web console (HTTP) + - "53443:53443/tcp" #DNS web console (HTTPS) + - "53:53/udp" #DNS service + - "53:53/tcp" #DNS service + # - "853:853/udp" #DNS-over-QUIC service + # - "853:853/tcp" #DNS-over-TLS service + # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # - "67:67/udp" #DHCP service + environment: + - DNS_SERVER_DOMAIN=mipha-dns #The primary domain name used by this DNS Server to identify itself. + # - DNS_SERVER_ADMIN_PASSWORD="{{ technitium_web_admin }}" #DNS web console admin user password. + # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode. + # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PATH=/etc/dns/tls/cert.pfx #The file path to the TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PASSWORD=password #The password for the TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_HTTP_TO_TLS_REDIRECT=false #Enables HTTP to HTTPS redirection for the DNS web console. + # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL. + # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses. + # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + volumes: + - /data:/etc/dns + restart: unless-stopped + sysctls: + - net.ipv4.ip_local_port_range=1024 65535 + +volumes: + config: diff --git a/roles/49-technitium-dns/install-docker/tasks/main.yml b/roles/49-technitium-dns/install-docker/tasks/main.yml new file mode 100644 index 0000000..d5baba9 --- /dev/null +++ b/roles/49-technitium-dns/install-docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Get convenience script + uri: + url: "https://get.docker.com" + method: GET + dest: /tmp/get-docker.sh + mode: a+x + creates: /tmp/get-docker.sh + +- name: Execute script + ansible.builtin.shell: /tmp/get-docker.sh + +- name: Ensure group "docker" exists + ansible.builtin.group: + name: docker + state: present + +- name: Add root user to docker group + ansible.builtin.user: + name: root + groups: docker + append: yes + +- name: Enable docker on startup + ansible.builtin.shell: | + systemctl enable docker.service + systemctl enable containerd.service diff --git a/roles/49-technitium-dns/provision/create/tasks/main.yml b/roles/49-technitium-dns/provision/create/tasks/main.yml new file mode 100644 index 0000000..c61233a --- /dev/null +++ b/roles/49-technitium-dns/provision/create/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Create container + community.general.proxmox: + vmid: 649 + node: mipha + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + password: "{{ lxc_password }}" + hostname: technitium-dns + ostemplate: "local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst" + netif: "{'net0':'name=eth0,\ + gw=10.0.0.1,\ + ip=10.0.2.49/21,\ + hwaddr=cc:c6:cf:de:20:49,\ + bridge=vmbr0'}" + cores: 2 + memory: 4196 + unprivileged: no + swap: 0 + searchdomain: "home" + onboot: 1 + features: + - nesting=1 + - keyctl=1 + disk: local-lvm:20 + mounts: '{ + "mp0":"local-lvm:10,mp=/data,backup=1" + }' + force: yes diff --git a/roles/49-technitium-dns/provision/delete/tasks/main.yml b/roles/49-technitium-dns/provision/delete/tasks/main.yml new file mode 100644 index 0000000..67f6eb8 --- /dev/null +++ b/roles/49-technitium-dns/provision/delete/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Stop container + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: stopped + ignore_errors: true + timeout: 90 + +- name: Remove containers + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: absent + ignore_errors: true + timeout: 90 + +- name: Remove .ssh/known_hosts lines + ansible.builtin.lineinfile: + path: /Users/lino.silva/.ssh/known_hosts + state: absent + regexp: "^10.0.2.49" + diff --git a/roles/49-technitium-dns/provision/start/tasks/main.yml b/roles/49-technitium-dns/provision/start/tasks/main.yml new file mode 100644 index 0000000..de86b9b --- /dev/null +++ b/roles/49-technitium-dns/provision/start/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Start deployments + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: started diff --git a/roles/49-technitium-dns/update/tasks/main.yml b/roles/49-technitium-dns/update/tasks/main.yml new file mode 100644 index 0000000..8227bf4 --- /dev/null +++ b/roles/49-technitium-dns/update/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update all packages to their latest version + become: true + ansible.builtin.apt: + update_cache: yes + upgrade: full diff --git a/roles/50-technitium-dns-2/enable-ssh/tasks/main.yml b/roles/50-technitium-dns-2/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..27371e7 --- /dev/null +++ b/roles/50-technitium-dns-2/enable-ssh/tasks/main.yml @@ -0,0 +1,12 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Pause for 10 seconds to wait for SSH server + ansible.builtin.pause: + seconds: 10 + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 650 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 650 service ssh restart diff --git a/roles/50-technitium-dns-2/install-app/tasks/main.yml b/roles/50-technitium-dns-2/install-app/tasks/main.yml new file mode 100644 index 0000000..3aa3110 --- /dev/null +++ b/roles/50-technitium-dns-2/install-app/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Create directory for docker-compose + ansible.builtin.file: + path: /root/docker/ + state: directory + mode: "0755" + +- name: Copy docker-compose file + template: + src: "docker-compose.yml" + dest: /root/docker/docker-compose.yml + owner: root + group: root + mode: 0755 + +- name: Run docker-compose + ansible.builtin.shell: + args: + cmd: docker compose up -d + chdir: /root/docker/ diff --git a/roles/50-technitium-dns-2/install-app/templates/docker-compose.yml b/roles/50-technitium-dns-2/install-app/templates/docker-compose.yml new file mode 100644 index 0000000..9a2318f --- /dev/null +++ b/roles/50-technitium-dns-2/install-app/templates/docker-compose.yml @@ -0,0 +1,51 @@ +services: + dns-server: + container_name: dns-server + hostname: dns-server + image: technitium/dns-server:latest + # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them + # network_mode: "host" + ports: + - "5380:5380/tcp" #DNS web console (HTTP) + - "53443:53443/tcp" #DNS web console (HTTPS) + - "53:53/udp" #DNS service + - "53:53/tcp" #DNS service + # - "853:853/udp" #DNS-over-QUIC service + # - "853:853/tcp" #DNS-over-TLS service + # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # - "67:67/udp" #DHCP service + environment: + - DNS_SERVER_DOMAIN=purah-dns #The primary domain name used by this DNS Server to identify itself. + # - DNS_SERVER_ADMIN_PASSWORD="{{ technitium_web_admin }}" #DNS web console admin user password. + # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode. + # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PATH=/etc/dns/tls/cert.pfx #The file path to the TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PASSWORD=password #The password for the TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_HTTP_TO_TLS_REDIRECT=false #Enables HTTP to HTTPS redirection for the DNS web console. + # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL. + # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses. + # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + volumes: + - /data:/etc/dns + restart: unless-stopped + sysctls: + - net.ipv4.ip_local_port_range=1024 65535 + +volumes: + config: diff --git a/roles/50-technitium-dns-2/install-docker/tasks/main.yml b/roles/50-technitium-dns-2/install-docker/tasks/main.yml new file mode 100644 index 0000000..d5baba9 --- /dev/null +++ b/roles/50-technitium-dns-2/install-docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Get convenience script + uri: + url: "https://get.docker.com" + method: GET + dest: /tmp/get-docker.sh + mode: a+x + creates: /tmp/get-docker.sh + +- name: Execute script + ansible.builtin.shell: /tmp/get-docker.sh + +- name: Ensure group "docker" exists + ansible.builtin.group: + name: docker + state: present + +- name: Add root user to docker group + ansible.builtin.user: + name: root + groups: docker + append: yes + +- name: Enable docker on startup + ansible.builtin.shell: | + systemctl enable docker.service + systemctl enable containerd.service diff --git a/roles/50-technitium-dns-2/provision/create/tasks/main.yml b/roles/50-technitium-dns-2/provision/create/tasks/main.yml new file mode 100644 index 0000000..21c4172 --- /dev/null +++ b/roles/50-technitium-dns-2/provision/create/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Create container + community.general.proxmox: + vmid: 650 + node: purah + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + password: "{{ lxc_password }}" + hostname: technitium-dns-2 + ostemplate: "local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst" + netif: "{'net0':'name=eth0,\ + gw=10.0.0.1,\ + ip=10.0.2.50/21,\ + hwaddr=cc:c6:cf:de:20:50,\ + bridge=vmbr0'}" + cores: 2 + memory: 4196 + unprivileged: no + swap: 0 + searchdomain: "home" + onboot: 1 + features: + - nesting=1 + - keyctl=1 + disk: purah-mirror-860gb:20 + mounts: '{ + "mp0":"purah-mirror-860gb:10,mp=/data,backup=1" + }' + force: yes diff --git a/roles/50-technitium-dns-2/provision/delete/tasks/main.yml b/roles/50-technitium-dns-2/provision/delete/tasks/main.yml new file mode 100644 index 0000000..eceb29d --- /dev/null +++ b/roles/50-technitium-dns-2/provision/delete/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Stop container + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: stopped + ignore_errors: true + timeout: 90 + +- name: Remove containers + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: absent + ignore_errors: true + timeout: 90 + +- name: Remove .ssh/known_hosts lines + ansible.builtin.lineinfile: + path: /Users/lino.silva/.ssh/known_hosts + state: absent + regexp: "^10.0.2.50" + diff --git a/roles/50-technitium-dns-2/provision/start/tasks/main.yml b/roles/50-technitium-dns-2/provision/start/tasks/main.yml new file mode 100644 index 0000000..de86b9b --- /dev/null +++ b/roles/50-technitium-dns-2/provision/start/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Start deployments + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: started diff --git a/roles/50-technitium-dns-2/update/tasks/main.yml b/roles/50-technitium-dns-2/update/tasks/main.yml new file mode 100644 index 0000000..8227bf4 --- /dev/null +++ b/roles/50-technitium-dns-2/update/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update all packages to their latest version + become: true + ansible.builtin.apt: + update_cache: yes + upgrade: full diff --git a/roles/51-technitium-dns-3/enable-ssh/tasks/main.yml b/roles/51-technitium-dns-3/enable-ssh/tasks/main.yml new file mode 100644 index 0000000..9bd88ad --- /dev/null +++ b/roles/51-technitium-dns-3/enable-ssh/tasks/main.yml @@ -0,0 +1,12 @@ +--- +# Unable to use ansible.builtin.lineinfile, because we need to run this through the proxmox host (because SSH is not enabled duh) + +- name: Pause for 10 seconds to wait for SSH server + ansible.builtin.pause: + seconds: 10 + +- name: Allow SSH into LXC + ansible.builtin.command: lxc-attach -n 651 -- sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config + +- name: Restart SSH Service + ansible.builtin.command: lxc-attach -n 651 service ssh restart diff --git a/roles/51-technitium-dns-3/install-app/tasks/main.yml b/roles/51-technitium-dns-3/install-app/tasks/main.yml new file mode 100644 index 0000000..3aa3110 --- /dev/null +++ b/roles/51-technitium-dns-3/install-app/tasks/main.yml @@ -0,0 +1,20 @@ +--- +- name: Create directory for docker-compose + ansible.builtin.file: + path: /root/docker/ + state: directory + mode: "0755" + +- name: Copy docker-compose file + template: + src: "docker-compose.yml" + dest: /root/docker/docker-compose.yml + owner: root + group: root + mode: 0755 + +- name: Run docker-compose + ansible.builtin.shell: + args: + cmd: docker compose up -d + chdir: /root/docker/ diff --git a/roles/51-technitium-dns-3/install-app/templates/docker-compose.yml b/roles/51-technitium-dns-3/install-app/templates/docker-compose.yml new file mode 100644 index 0000000..5c26b9a --- /dev/null +++ b/roles/51-technitium-dns-3/install-app/templates/docker-compose.yml @@ -0,0 +1,51 @@ +services: + dns-server: + container_name: dns-server + hostname: dns-server + image: technitium/dns-server:latest + # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting them + # network_mode: "host" + ports: + - "5380:5380/tcp" #DNS web console (HTTP) + - "53443:53443/tcp" #DNS web console (HTTPS) + - "53:53/udp" #DNS service + - "53:53/tcp" #DNS service + # - "853:853/udp" #DNS-over-QUIC service + # - "853:853/tcp" #DNS-over-TLS service + # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # - "67:67/udp" #DHCP service + environment: + - DNS_SERVER_DOMAIN=sidon-dns #The primary domain name used by this DNS Server to identify itself. + # - DNS_SERVER_ADMIN_PASSWORD="{{ technitium_web_admin }}" #DNS web console admin user password. + # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user. + # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled. + # - DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES=172.17.0.1,127.0.0.1 #Comma separated list of network interface IP addresses that you want the web service to listen on for requests. The "172.17.0.1" address is the built-in Docker bridge. The "[::]" is the default value if not specified. Note! This must be used only with "host" network mode. + # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol. + # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol. + # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PATH=/etc/dns/tls/cert.pfx #The file path to the TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_TLS_CERTIFICATE_PASSWORD=password #The password for the TLS certificate for the DNS web console. + # - DNS_SERVER_WEB_SERVICE_HTTP_TO_TLS_REDIRECT=false #Enables HTTP to HTTPS redirection for the DNS web console. + # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworkACL. + # - DNS_SERVER_RECURSION_NETWORK_ACL=192.168.10.0/24, !192.168.10.2 #Comma separated list of IP addresses or network addresses to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback. Valid only for `UseSpecifiedNetworkACL` recursion option. + # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworkACL` recursion option. This option is obsolete and DNS_SERVER_RECURSION_NETWORK_ACL should be used instead. + # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # - DNS_SERVER_BLOCK_LIST_URLS= #A comma separated list of block list URLs. + # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses. + # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging. + volumes: + - /data:/etc/dns + restart: unless-stopped + sysctls: + - net.ipv4.ip_local_port_range=1024 65535 + +volumes: + config: diff --git a/roles/51-technitium-dns-3/install-docker/tasks/main.yml b/roles/51-technitium-dns-3/install-docker/tasks/main.yml new file mode 100644 index 0000000..d5baba9 --- /dev/null +++ b/roles/51-technitium-dns-3/install-docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Get convenience script + uri: + url: "https://get.docker.com" + method: GET + dest: /tmp/get-docker.sh + mode: a+x + creates: /tmp/get-docker.sh + +- name: Execute script + ansible.builtin.shell: /tmp/get-docker.sh + +- name: Ensure group "docker" exists + ansible.builtin.group: + name: docker + state: present + +- name: Add root user to docker group + ansible.builtin.user: + name: root + groups: docker + append: yes + +- name: Enable docker on startup + ansible.builtin.shell: | + systemctl enable docker.service + systemctl enable containerd.service diff --git a/roles/51-technitium-dns-3/provision/create/tasks/main.yml b/roles/51-technitium-dns-3/provision/create/tasks/main.yml new file mode 100644 index 0000000..3959e11 --- /dev/null +++ b/roles/51-technitium-dns-3/provision/create/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: Create container + community.general.proxmox: + vmid: 651 + node: sidon + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + password: "{{ lxc_password }}" + hostname: technitium-dns-3 + ostemplate: "local:vztmpl/debian-12-standard_12.12-1_amd64.tar.zst" + netif: "{'net0':'name=eth0,\ + gw=10.0.0.1,\ + ip=10.0.2.51/21,\ + hwaddr=cc:c6:cf:de:20:51,\ + bridge=vmbr0'}" + cores: 2 + memory: 4196 + unprivileged: no + swap: 0 + searchdomain: "home" + onboot: 1 + features: + - nesting=1 + - keyctl=1 + disk: rest:20 + mounts: '{ + "mp0":"rest:10,mp=/data,backup=1" + }' + force: yes diff --git a/roles/51-technitium-dns-3/provision/delete/tasks/main.yml b/roles/51-technitium-dns-3/provision/delete/tasks/main.yml new file mode 100644 index 0000000..53c435b --- /dev/null +++ b/roles/51-technitium-dns-3/provision/delete/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Stop container + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: stopped + ignore_errors: true + timeout: 90 + +- name: Remove containers + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: absent + ignore_errors: true + timeout: 90 + +- name: Remove .ssh/known_hosts lines + ansible.builtin.lineinfile: + path: /Users/lino.silva/.ssh/known_hosts + state: absent + regexp: "^10.0.2.51" + diff --git a/roles/51-technitium-dns-3/provision/start/tasks/main.yml b/roles/51-technitium-dns-3/provision/start/tasks/main.yml new file mode 100644 index 0000000..de86b9b --- /dev/null +++ b/roles/51-technitium-dns-3/provision/start/tasks/main.yml @@ -0,0 +1,8 @@ +--- +- name: Start deployments + community.general.proxmox: + vmid: "{{ vmid }}" + api_user: root@pam + api_password: "{{ proxmox_api_password }}" + api_host: 10.0.2.2 + state: started diff --git a/roles/51-technitium-dns-3/update/tasks/main.yml b/roles/51-technitium-dns-3/update/tasks/main.yml new file mode 100644 index 0000000..8227bf4 --- /dev/null +++ b/roles/51-technitium-dns-3/update/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: Update all packages to their latest version + become: true + ansible.builtin.apt: + update_cache: yes + upgrade: full