mg
/
homeserver
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

dnsmasq -- > blocky (#486) 

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: #486
This commit is contained in:
Michael Grote 2023-03-24 13:09:29 +01:00
parent 68ef705e67
commit d08ebe9747
13 changed files with 151 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
docker-compose/blocky/config.yml.j2 Normal file
View File

@ -0,0 +1,48 @@
# https://0xerr0r.github.io/blocky/v0.20/configuration/#basic-configuration
upstream:
default:
- 9.9.9.9
- 8.8.8.8
upstreamTimeout: 2s
port: 53
httpPort: 4000
connectIPVersion: v4
queryLog:
type: console
customDNS:
mapping:
mgrote.net: 192.168.2.43 # nötig damit z.B. oxidized pushen kann
conditional:
mapping:
grote.lan: 192.168.2.1
blocking:
startStrategy: failOnError # like blocking but blocky will shut down if any download fails
blockType: nxDomain
blockTTL: 360s
refreshPeriod: 60m
blackLists:
ads:
- http://sysctl.org/cameleon/hosts
- https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
- https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
- https://adaway.org/hosts.txt
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
- https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
# - |
# # inline definition with YAML literal block scalar style
# someadsdomain.com
# anotheradsdomain.com
# # this is a regex
# /^banners?[_.-]/
# whiteLists:
# ads:
# - |
# # inline definition with YAML literal block scalar style
# whitelistdomain.com

16
docker-compose/blocky/docker-compose.yml.j2 Normal file
View File

@ -0,0 +1,16 @@
version: "2.1"
services:
blocky:
image: spx01/blocky
container_name: blocky
restart: unless-stopped
ports:
- "53:53/tcp"
- "53:53/udp"
environment:
- TZ=Europe/Berlin
volumes:
# config file
- ./config.yml:/app/config.yml
# kann mit dig @192.168.2.43 -p 54 alternate.de getestet werden

3
docker-compose/munin/docker-compose.yml.j2
View File

@ -23,8 +23,7 @@ services:
pve5.grote.lan:pve5.grote.lan
dokuwiki2.grote.lan:dokuwiki2.grote.lan
gitea.grote.lan:gitea.grote.lan
docker10.grote.lan:docker10.grote.lan
dnsmasq.grote.lan:dnsmasq.grote.lan'
docker10.grote.lan:docker10.grote.lan'
# z.B.
# computer-test.grote.lan.test:192.68.2.4
# computer.grote.lan:computer.grote.lan

98
group_vars/dnsmasq.yml
View File

@ -1,98 +0,0 @@
---
### oefenweb.ufw
ufw_rules:
- rule: allow
to_port: 22
protocol: tcp
comment: 'ssh'
from_ip: 0.0.0.0/0
- rule: allow
to_port: 4949
protocol: tcp
comment: 'munin'
from_ip: 192.168.2.144/24
- rule: allow
to_port: 53
comment: 'dns'
from_ip: 0.0.0.0/0
### mgrote.restic
restic_repository: "//192.168.2.54/restic"
### mgrote.apt_manage_sources
# wird leer gesetzt da dnsmasq NICHT den Router befragt und daher keine Lokalen Hostnamen abfragen kann
manage_sources_apt_proxy: ""
### mgrote.apt_manage_packages
# hier mit IP statt Hostnamen da dnsmasq NICHT den Router befragt und daher keine Lokalen Hostnamen abfragen kann
apt_packages_internet:
- http://192.168.2.43:3344/bash-helper-scripts-mgrote/bash-helper-scripts-mgrote-latest.deb
### mgrote.munin-node
munin_node_plugins:
- name: timesync
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/timesync_status
- name: systemd_status
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
- name: systemd_mem
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
config: |
[systemd_mem]
env.all_services true
- name: lvm_
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
config: |
[lvm_*]
user root
- name: fail2ban
src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
config: |
[fail2ban]
env.client /usr/bin/fail2ban-client
env.config_dir /etc/fail2ban
user root
- name: dnsmasq
src: https://git.mgrote.net/mg/mirror-dnsmasq-munin/raw/branch/master/dnsmasq
config: |
[dnsmasq]
env.logfile {{ dnsmasq_logfile }}
user root
- name: dnsresponse_192.168.2.1
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
- name: dnsresponse_127.0.0.1
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
config: |
[dnsresponse_*]
env.site www.heise.de
env.times 20
### mgrote.dnsmasq
# Welche DNS-Server soll dnsmasq anfragen?
dnsmasq_resolver:
- 9.9.9.9
- 1.1.1.1
dnsmasq_log_queries: true # has to be true for munin
dnsmasq_logfile: /var/log/dnsmasq.log
dnsmasq_blocklists:
- name: sysctl.org
state: present
url: http://sysctl.org/cameleon/hosts
- name: StevenBlack.1
state: present
url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
- name: StevenBlack.2
state: present
url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
- name: adaway.org
state: present
url: https://adaway.org/hosts.txt
- name: StevenBlack.3
state: present
url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
- name: developerdan.1
state: present
url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
- name: developerdan.2
state: present
url: https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
dnsmasq_cache_size: 10000
dnsmasq_port: 53
dnsmasq_never_forward_domain: grote.lan
### mgrote.apt_manage_packages
apt_packages_extra:
- libnet-dns-perl # für munin: dnsresponse_*

13
host_vars/docker10.grote.lan.yml
View File

@ -75,6 +75,8 @@
state: absent
- name: watchtower
state: present
- name: blocky
state: present
#### mgrote.set_permissions
dir_permissions:
@ -110,6 +112,7 @@
### mgrote.apt_manage_packages
apt_packages_extra:
- libnet-dns-perl # für munin: dnsresponse_*
- libwww-curl-perl # für munin-plugin: unifi
- libjson-perl # für munin-plugin: unifi
- sshpass # fur munin mt_system_*
@ -293,3 +296,13 @@
env.SLRM_MAIL {{ lookup('keepass', 'SLRM_MAIL', 'password') }}
env.SLRM_PASSWORD {{ lookup('keepass', 'SLRM_PASSWORD', 'password') }}
env.SLRM_APPSECRET {{ lookup('keepass', 'SLRM_APPSECRET', 'password') }}
- name: dnsresponse_192.168.2.1
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
- name: dnsresponse_192.168.2.43
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
- name: dnsresponse_127.0.0.1
src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
config: |
[dnsresponse_*]
env.site www.heise.de
env.times 20

4
inventory
View File

@ -6,9 +6,6 @@ all:
fileserver:
hosts:
fileserver3.grote.lan:
dnsmasq:
hosts:
dnsmasq.grote.lan:
acng:
hosts:
acng2.grote.lan:
@ -40,7 +37,6 @@ all:
ansible2.grote.lan:
pve5.grote.lan:
gitea.grote.lan:
dnsmasq.grote.lan:
docker10.grote.lan:
test:
hosts:

1
playbooks/3_service/docker.yml
View File

@ -1,6 +1,7 @@
---
- hosts: docker
roles:
- { role: mgrote.systemd-resolved, tags: "dns", become: true }
- { role: geerlingguy.pip, tags: "pip", become: true }
- { role: geerlingguy.docker, tags: "docker", become: true }
- { role: gantsign.ctop, tags: "ctop", become: true }

3
roles/mgrote.systemd-resolved/README.md Normal file
View File

@ -0,0 +1,3 @@
# mgrote.systemd-resolved
This role disables the `systemd-resolved stub-listener` to free port `53` and sets the specified DNS-Server instead.

1
roles/mgrote.systemd-resolved/defaults/main.yml Normal file
View File

@ -0,0 +1 @@
nameserver: 192.168.2.1

5
roles/mgrote.systemd-resolved/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart systemd-resolved
ansible.builtin.systemd:
state: restarted
name: systemd-resolved

24
roles/mgrote.systemd-resolved/tasks/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
- name: Make sure systemd-resolved is running
ansible.builtin.systemd:
state: started
masked: false
name: systemd-resolved
- name: template /etc/systemd/resolved.conf
ansible.builtin.template:
src: resolved.conf.j2
dest: /etc/systemd/resolved.conf
owner: root
group: root
mode: '0644'
notify: restart systemd-resolved
- name: template /etc/resolv.conf
ansible.builtin.template:
src: resolv.conf.j2
dest: /etc/resolv.conf
owner: root
group: root
mode: '0644'
notify: restart systemd-resolved

3
roles/mgrote.systemd-resolved/templates/resolv.conf.j2 Normal file
View File

@ -0,0 +1,3 @@
{{ file_header | default () }}
nameserver {{ nameserver }}

36
roles/mgrote.systemd-resolved/templates/resolved.conf.j2 Normal file
View File

@ -0,0 +1,36 @@
{{ file_header | default () }}
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it under the
# terms of the GNU Lesser General Public License as published by the Free
# Software Foundation; either version 2.1 of the License, or (at your option)
# any later version.
#
# Entries in this file show the compile time defaults. Local configuration
# should be created by either modifying this file, or by creating "drop-ins" in
# the resolved.conf.d/ subdirectory. The latter is generally recommended.
# Defaults can be restored by simply deleting this file and all drop-ins.
#
# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
#
# See resolved.conf(5) for details.
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=
#Domains=
#DNSSEC=no
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
#CacheFromLocalhost=no
DNSStubListener=no
#DNSStubListenerExtra=
#ReadEtcHosts=yes
#ResolveUnicastSingleLabel=no