From 8736322100397e81291458583b0fb729d82898fe Mon Sep 17 00:00:00 2001 From: Justus Grunow Date: Mon, 16 Jan 2023 07:21:45 -0500 Subject: [PATCH] Working config w/ WG & unbound --- inventory/inventory.yaml | 3 + playbooks/assets/01-netcfg.yaml.j2 | 12 ++++ playbooks/assets/docker-compose.yml.j2 | 74 +++++++++++++++++++++ playbooks/assets/unbound.conf.j2 | 67 +++++++++++++++++++ playbooks/configfiles/01-netcfg.yaml | 12 ++++ playbooks/configfiles/unbound.conf | 67 +++++++++++++++++++ playbooks/dockercompose/docker-compose.yml | 76 +++++++++++++++++++++ playbooks/setup.yaml | 77 ++++++++++++++++++++++ requirements.txt | 10 +++ 9 files changed, 398 insertions(+) create mode 100644 inventory/inventory.yaml create mode 100644 playbooks/assets/01-netcfg.yaml.j2 create mode 100644 playbooks/assets/docker-compose.yml.j2 create mode 100644 playbooks/assets/unbound.conf.j2 create mode 100644 playbooks/configfiles/01-netcfg.yaml create mode 100644 playbooks/configfiles/unbound.conf create mode 100644 playbooks/dockercompose/docker-compose.yml create mode 100644 playbooks/setup.yaml create mode 100644 requirements.txt diff --git a/inventory/inventory.yaml b/inventory/inventory.yaml new file mode 100644 index 0000000..391c22b --- /dev/null +++ b/inventory/inventory.yaml @@ -0,0 +1,3 @@ +all: + hosts: + basementpi.local diff --git a/playbooks/assets/01-netcfg.yaml.j2 b/playbooks/assets/01-netcfg.yaml.j2 new file mode 100644 index 0000000..215a49a --- /dev/null +++ b/playbooks/assets/01-netcfg.yaml.j2 @@ -0,0 +1,12 @@ +network: + version: 2 + ethernets: + eth0: + addresses: + - {{ pi_ip }}/{{ pi_mask }} + nameservers: + search: [injust.us] + addresses: [127.0.0.1, 1.1.1.1] + routes: + - to: default + via: 10.11.1.1 diff --git a/playbooks/assets/docker-compose.yml.j2 b/playbooks/assets/docker-compose.yml.j2 new file mode 100644 index 0000000..33f81c2 --- /dev/null +++ b/playbooks/assets/docker-compose.yml.j2 @@ -0,0 +1,74 @@ +version: "3" + +# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md + +services: + nginx-proxy: + image: nginxproxy/nginx-proxy + ports: + - '80:80' + environment: + DEFAULT_HOST: {{ pihole_hostname }}.{{ pihole_domain }} + volumes: + - '/var/run/docker.sock:/tmp/docker.sock' + restart: always + + pihole: + image: pihole/pihole:latest + ports: + - '53:53/tcp' + - '53:53/udp' + - "67:67/udp" + - '8053:80/tcp' + volumes: + - './etc-pihole:/etc/pihole' + - './etc-dnsmasq.d:/etc/dnsmasq.d' + # run `touch ./var-log/pihole.log` first unless you like errors + # - './var-log/pihole.log:/var/log/pihole/pihole.log' + # Recommended but not required (DHCP needs NET_ADMIN) + # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities + cap_add: + - NET_ADMIN + expose: + - 80 + environment: + ServerIP: 10.11.1.10 + PIHOLE_DNS_: unbound#53;{{ pihole_additional_upstream_dnsservers }} + PROXY_LOCATION: {{ pihole_hostname }} + VIRTUAL_HOST: {{ pihole_hostname}}.{{ pihole_domain }} + VIRTUAL_PORT: 80 + WEBPASSWORD: {{ pihole_password }} + FTLCONF_LOCAL_IPV4: {{ pi_ip }} + + extra_hosts: + # Resolve to nothing domains (terminate connection) + - 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0' + # LAN hostnames for other docker containers using nginx-proxy + - 'yourDomain.lan:192.168.41.55' + - '{{ pihole_hostname }} {{ pihole_hostname }}.{{ pihole_domain }}:{{ pi_ip }}' + restart: always + + unbound: + image: klutchell/unbound + volumes: + - ./unbound:/etc/unbound/unbound.conf.d + ports: + - '5335:53/tcp' + - '5335:53/udp' + restart: always + + + +# Another container you might want to have running through the proxy +# Note it also have ENV Vars like pihole and a host under pihole's extra_hosts +# ghost: +# image: fractalf/ghost +# ports: +# - '2368:2368/tcp' +# volumes: +# - '/etc/ghost:/ghost-override' +# environment: +# PROXY_LOCATION: ghost +# VIRTUAL_HOST: ghost.yourDomain.lan +# VIRTUAL_PORT: 2368 +# restart: always diff --git a/playbooks/assets/unbound.conf.j2 b/playbooks/assets/unbound.conf.j2 new file mode 100644 index 0000000..801a621 --- /dev/null +++ b/playbooks/assets/unbound.conf.j2 @@ -0,0 +1,67 @@ +server: + # If no logfile is specified, syslog is used + # logfile: "/var/log/unbound/unbound.log" + verbosity: 0 + + interface: 127.0.0.1 + port: 53 + do-ip4: yes + do-udp: yes + do-tcp: yes + + # May be set to yes if you have IPv6 connectivity + do-ip6: no + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this only when you downloaded the list of primary root servers! + # If you use the default dns-root-data package, unbound will find it automatically + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10 + diff --git a/playbooks/configfiles/01-netcfg.yaml b/playbooks/configfiles/01-netcfg.yaml new file mode 100644 index 0000000..7133033 --- /dev/null +++ b/playbooks/configfiles/01-netcfg.yaml @@ -0,0 +1,12 @@ +network: + version: 2 + ethernets: + eth0: + addresses: + - 10.11.1.10/24 + nameservers: + search: [injust.us] + addresses: [127.0.0.1, 1.1.1.1] + routes: + - to: default + via: 10.11.1.1 diff --git a/playbooks/configfiles/unbound.conf b/playbooks/configfiles/unbound.conf new file mode 100644 index 0000000..801a621 --- /dev/null +++ b/playbooks/configfiles/unbound.conf @@ -0,0 +1,67 @@ +server: + # If no logfile is specified, syslog is used + # logfile: "/var/log/unbound/unbound.log" + verbosity: 0 + + interface: 127.0.0.1 + port: 53 + do-ip4: yes + do-udp: yes + do-tcp: yes + + # May be set to yes if you have IPv6 connectivity + do-ip6: no + + # You want to leave this to no unless you have *native* IPv6. With 6to4 and + # Terredo tunnels your web browser should favor IPv4 for the same reasons + prefer-ip6: no + + # Use this only when you downloaded the list of primary root servers! + # If you use the default dns-root-data package, unbound will find it automatically + #root-hints: "/var/lib/unbound/root.hints" + + # Trust glue only if it is within the server's authority + harden-glue: yes + + # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS + harden-dnssec-stripped: yes + + # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes + # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details + use-caps-for-id: no + + # Reduce EDNS reassembly buffer size. + # IP fragmentation is unreliable on the Internet today, and can cause + # transmission failures when large DNS messages are sent via UDP. Even + # when fragmentation does work, it may not be secure; it is theoretically + # possible to spoof parts of a fragmented DNS message, without easy + # detection at the receiving end. Recently, there was an excellent study + # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<< + # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/) + # in collaboration with NLnet Labs explored DNS using real world data from the + # the RIPE Atlas probes and the researchers suggested different values for + # IPv4 and IPv6 and in different scenarios. They advise that servers should + # be configured to limit DNS messages sent over UDP to a size that will not + # trigger fragmentation on typical network links. DNS servers can switch + # from UDP to TCP when a DNS response is too big to fit in this limited + # buffer size. This value has also been suggested in DNS Flag Day 2020. + edns-buffer-size: 1232 + + # Perform prefetching of close to expired message cache entries + # This only applies to domains that have been frequently queried + prefetch: yes + + # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. + num-threads: 1 + + # Ensure kernel buffer is large enough to not lose messages in traffic spikes + so-rcvbuf: 1m + + # Ensure privacy of local IP ranges + private-address: 192.168.0.0/16 + private-address: 169.254.0.0/16 + private-address: 172.16.0.0/12 + private-address: 10.0.0.0/8 + private-address: fd00::/8 + private-address: fe80::/10 + diff --git a/playbooks/dockercompose/docker-compose.yml b/playbooks/dockercompose/docker-compose.yml new file mode 100644 index 0000000..650ea0c --- /dev/null +++ b/playbooks/dockercompose/docker-compose.yml @@ -0,0 +1,76 @@ +version: "3" + +# https://github.com/pi-hole/docker-pi-hole/blob/master/README.md + +services: + nginx-proxy: + image: nginxproxy/nginx-proxy + ports: + - '80:80' + environment: + DEFAULT_HOST: pihole.injust.us + volumes: + - '/var/run/docker.sock:/tmp/docker.sock' + restart: always + + pihole: + image: pihole/pihole:latest + ports: + - '53:53/tcp' + - '53:53/udp' + - "67:67/udp" + - '8053:80/tcp' + volumes: + - './etc-pihole:/etc/pihole' + - './etc-dnsmasq.d:/etc/dnsmasq.d' + # run `touch ./var-log/pihole.log` first unless you like errors + # - './var-log/pihole.log:/var/log/pihole/pihole.log' + # Recommended but not required (DHCP needs NET_ADMIN) + # https://github.com/pi-hole/docker-pi-hole#note-on-capabilities + cap_add: + - NET_ADMIN + expose: + - 80 + environment: + ServerIP: 10.11.1.10 + PIHOLE_DNS_: 127.0.0.1#5053;1.1.1.1 + PROXY_LOCATION: pihole + VIRTUAL_HOST: pihole.injust.us + VIRTUAL_PORT: 80 + WEBPASSWORD: password + FTLCONF_LOCAL_IPV4: 10.11.1.10 + + extra_hosts: + # Resolve to nothing domains (terminate connection) + - 'nw2master.bioware.com nwn2.master.gamespy.com:0.0.0.0' + # LAN hostnames for other docker containers using nginx-proxy + - 'yourDomain.lan:192.168.41.55' + - 'pihole pihole.injust.us:10.11.1.10' + - 'ghost ghost.yourDomain.lan:192.168.41.55' + - 'wordpress wordpress.yourDomain.lan:192.168.41.55' + restart: always + + unbound: + image: klutchell/unbound + volumes: + - ./unbound:/etc/unbound/unbound.conf.d + ports: + - '5335:53/tcp' + - '5335:53/udp' + restart: always + + + +# Another container you might want to have running through the proxy +# Note it also have ENV Vars like pihole and a host under pihole's extra_hosts +# ghost: +# image: fractalf/ghost +# ports: +# - '2368:2368/tcp' +# volumes: +# - '/etc/ghost:/ghost-override' +# environment: +# PROXY_LOCATION: ghost +# VIRTUAL_HOST: ghost.yourDomain.lan +# VIRTUAL_PORT: 2368 +# restart: always diff --git a/playbooks/setup.yaml b/playbooks/setup.yaml new file mode 100644 index 0000000..e09dc50 --- /dev/null +++ b/playbooks/setup.yaml @@ -0,0 +1,77 @@ +--- +- name: Setup + hosts: all + remote_user: root + vars: + pi_ip: 10.11.1.10 + pihole_additional_upstream_dnsservers: 1.1.1.1 + pihole_password: password! + pihole_hostname: pihole + pihole_domain: injust.us + + tasks: + - name: Disable cloud-init network config + ansible.builtin.command: 'echo "network: {config: disabled}" > /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg' + + - name: Delete existing netplan + ansible.builtin.command: rm -f /etc/netplan/* + + - name: Copy netplan + ansible.builtin.copy: + src: configfiles/01-netcfg.yaml + dest: /etc/netplan + - name: Copy unbound config + ansible.builtin.copy: + src: configfiles/unbound.conf + dest: ./unbound/ + + - name: Apply Netplan + ansible.builtin.command: netplan apply + + - name: Docker Prereqs + ansible.builtin.apt: + update_cache: true + name: + - ca-certificates + - curl + - gnupg + - lsb-release + - name: Create keyring directory + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + - name: Create Docker directory + ansible.builtin.file: + path: /root/docker + state: directory + - name: Download Docker GPG keys + ansible.builtin.shell: curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg --batch --yes + - name: Add Docker repo + ansible.builtin.shell: echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + + - name: Disable Ubunut stub DNS resolver + ansible.builtin.shell: sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf + - name: symlink /etc/resolv to /run/systemd/resolve/resolv.conf + ansible.builtin.shell: sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf' + + - name: Restart resolved + ansible.builtin.shell: systemctl restart systemd-resolved + + - name: Install Docker + ansible.builtin.apt: + update_cache: true + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + + - name: Copy Docker Compose file + ansible.builtin.template: + src: assets/docker-compose.yml.j2 + dest: /root/docker/docker-compose.yml + + - name: Run Docker + ansible.builtin.shell: docker compose up -d + args: + chdir: /root/docker diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..0d48dfc --- /dev/null +++ b/requirements.txt @@ -0,0 +1,10 @@ +ansible==7.1.0 +ansible-core==2.14.1 +cffi==1.15.1 +cryptography==39.0.0 +Jinja2==3.1.2 +MarkupSafe==2.1.1 +packaging==23.0 +pycparser==2.21 +PyYAML==6.0 +resolvelib==0.8.1