From 3eeb253e55bc9ac8b92b03929557d123531e6291 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 13 Dec 2020 14:59:44 +0100 Subject: [PATCH] bundles/unbound: introduce, add to nodes --- bundles/unbound/files/unbound.conf | 44 ++++++++++++++++++++++++++++++ bundles/unbound/items.py | 44 ++++++++++++++++++++++++++++++ bundles/unbound/metadata.py | 42 ++++++++++++++++++++++++++++ groups/locations.py | 3 -- nodes/home/router.py | 19 ++++++------- nodes/htz-cloud/pirmasens.py | 1 + nodes/htz/ex42-1048908.py | 1 + 7 files changed, 141 insertions(+), 13 deletions(-) create mode 100644 bundles/unbound/files/unbound.conf create mode 100644 bundles/unbound/items.py create mode 100644 bundles/unbound/metadata.py diff --git a/bundles/unbound/files/unbound.conf b/bundles/unbound/files/unbound.conf new file mode 100644 index 0000000..8152448 --- /dev/null +++ b/bundles/unbound/files/unbound.conf @@ -0,0 +1,44 @@ +server: + # provided by pkg_apt:unbound-anchor + auto-trust-anchor-file: "/var/lib/unbound/root.key" + + verbosity: 0 + +% if node.has_bundle('netdata'): + statistics-interval: 5 + extended-statistics: yes +% else: + statistics-interval: 300 +% endif + statistics-cumulative: no + + num-threads: ${threads} + +% if node.has_bundle('iptables'): + # Use iptables to manage access to this service + interface: 0.0.0.0 + interface: ::0 + access-control: 0.0.0.0/0 allow + access-control: ::/0 allow +% else: + interface: 127.0.0.1 + interface: ::1 + access-control: 127.0.0.1 allow + access-control: ::1 allow +% endif + + cache-max-ttl: ${max_ttl} + + use-syslog: yes + log-queries: no + + root-hints: "/etc/unbound/root-hints.txt" + + tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" + +remote-control: +% if node.has_bundle('netdata'): + control-enable: yes +% else: + control-enable: no +% endif diff --git a/bundles/unbound/items.py b/bundles/unbound/items.py new file mode 100644 index 0000000..00a3387 --- /dev/null +++ b/bundles/unbound/items.py @@ -0,0 +1,44 @@ +files = { + '/etc/unbound/unbound.conf': { + 'content_type': 'mako', + 'context': node.metadata['unbound'], + 'triggers': { + 'svc_systemd:unbound:restart', + }, + }, +} + +actions = { + 'unbound_generate_certificates': { + 'command': 'unbound-control-setup', + 'unless': 'test -f /etc/unbound/unbound_server.key', + 'needs': { + 'pkg_apt:unbound', + 'pkg_apt:unbound-anchor', + }, + }, + 'unbound_download_root_hints': { + 'command': 'wget -O/etc/unbound/root-hints.txt https://www.internic.net/domain/named.root', + 'unless': 'test -f /etc/unbound/root-hints.txt', + 'needs': { + 'pkg_apt:unbound', + }, + }, +} + +svc_systemd = { + 'unbound': { + 'needs': { + 'action:unbound_generate_certificates', + 'action:unbound_download_root_hints', + 'file:/etc/unbound/unbound.conf', + 'pkg_apt:unbound', + 'pkg_apt:unbound-anchor', + }, + }, +} + +if node.has_bundle('systemd-networkd'): + svc_systemd['unbound']['needed_by'] = { + 'file:/etc/resolv.conf', + } diff --git a/bundles/unbound/metadata.py b/bundles/unbound/metadata.py new file mode 100644 index 0000000..e47a5f5 --- /dev/null +++ b/bundles/unbound/metadata.py @@ -0,0 +1,42 @@ +defaults = { + 'apt': { + 'packages': { + 'unbound': {}, + 'unbound-anchor': {}, + }, + }, + 'nameservers': { + '127.0.0.1', + }, + 'unbound': { + 'max_ttl': 3600, + }, +} + + +@metadata_reactor +def cpu_cores_to_threads(metadata): + return { + 'unbound': { + 'threads': metadata.get('vm/cpu', 1)*2, + }, + } + + +@metadata_reactor +def iptables(metadata): + interfaces = metadata.get('unbound/restrict-to-interfaces', set()) + iptables = [] + + for iface in sorted(interfaces): + iptables.append(f'iptables -A INPUT -i {iface} -p tcp --dport 53 -j ACCEPT') + iptables.append(f'iptables -A INPUT -i {iface} -p udp --dport 53 -j ACCEPT') + + return { + 'iptables': { + 'bundle_rules': { + 'unbound': iptables, + }, + }, + } + diff --git a/groups/locations.py b/groups/locations.py index 7b9a24e..beecc51 100644 --- a/groups/locations.py +++ b/groups/locations.py @@ -54,9 +54,6 @@ groups['home'] = { }, 'metadata': { 'location': 'home', -# 'nameservers': { -# '172.19.138.1', -# }, 'icinga_options': { 'vars.notification.sms': False, }, diff --git a/nodes/home/router.py b/nodes/home/router.py index 12d61e6..d139dc0 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -10,6 +10,7 @@ nodes['home.router'] = { 'openvpn-client', 'pppd', 'radvd', + 'unbound', 'vnstat', 'wide-dhcp6c', 'wireguard', @@ -53,7 +54,7 @@ nodes['home.router'] = { 'interface': 'enp1s0.42', 'options': { 'routers': '172.19.138.1', - 'domain-name-servers': '8.8.8.8, 8.8.4.4', + 'domain-name-servers': '172.19.138.1', 'domain-name': 'franzi-home.kunbox.net', 'broadcast-address': '172.19.138.255', 'subnet-mask': '255.255.255.0', @@ -77,9 +78,6 @@ nodes['home.router'] = { 'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE', ], }, - 'nameservers': atomic({ - '9.9.9.10', - }), 'netdata': { 'restrict-to-interfaces': { 'enp1s0.42', @@ -99,12 +97,7 @@ nodes['home.router'] = { 'radvd': { 'integrate-with-pppd': True, 'interfaces': { - 'enp1s0.42': { - 'rdnss': { - '2001:4860:4860::8888', - '2001:4860:4860::8844', - }, - }, + 'enp1s0.42': {}, }, }, 'pppd': { @@ -117,6 +110,12 @@ nodes['home.router'] = { 'password': vault.decrypt('encrypt$gAAAAABfr8Cq5M1hweeJTQAl0dLhFntdlw-QnkIYUQpY-_ycODVWOpyeAwjwOgWLSdsdXIUvqcoiXPZPV-BE12p5C42NGnj9r7sKYpoGz8xfuGIk6haMa2g='), }, }, + 'unbound': { + 'restrict-to-interfaces': { + 'enp1s0.23', + 'enp1s0.42', + }, + }, 'users': { 'f2k1de': { 'ssh_pubkey': { diff --git a/nodes/htz-cloud/pirmasens.py b/nodes/htz-cloud/pirmasens.py index 6eea076..86a5e67 100644 --- a/nodes/htz-cloud/pirmasens.py +++ b/nodes/htz-cloud/pirmasens.py @@ -5,6 +5,7 @@ nodes['htz-cloud.pirmasens'] = { 'postfixadmin', 'postgresql', 'rspamd', + 'unbound', }, 'groups': { 'debian-buster', diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 7bd4de9..b214b7d 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -14,6 +14,7 @@ nodes['htz.ex42-1048908'] = { 'rspamd', 'postgresql', 'radicale', + 'unbound', 'smartd', 'travelynx', 'vmhost',