diff --git a/docker-compose/blocky/config.yml.j2 b/docker-compose/blocky/config.yml.j2 new file mode 100644 index 00000000..f00adcc4 --- /dev/null +++ b/docker-compose/blocky/config.yml.j2 @@ -0,0 +1,48 @@ +# https://0xerr0r.github.io/blocky/v0.20/configuration/#basic-configuration +upstream: + default: + - 9.9.9.9 + - 8.8.8.8 +upstreamTimeout: 2s + +port: 53 +httpPort: 4000 + +connectIPVersion: v4 + +queryLog: + type: console + +customDNS: + mapping: + mgrote.net: 192.168.2.43 # nötig damit z.B. oxidized pushen kann + +conditional: + mapping: + grote.lan: 192.168.2.1 + +blocking: + startStrategy: failOnError # like blocking but blocky will shut down if any download fails + blockType: nxDomain + blockTTL: 360s + refreshPeriod: 60m + blackLists: + ads: + - http://sysctl.org/cameleon/hosts + - https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts + - https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts + - https://adaway.org/hosts.txt + - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts + - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt + - https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt +# - | +# # inline definition with YAML literal block scalar style +# someadsdomain.com +# anotheradsdomain.com +# # this is a regex +# /^banners?[_.-]/ +# whiteLists: +# ads: +# - | +# # inline definition with YAML literal block scalar style +# whitelistdomain.com diff --git a/docker-compose/blocky/docker-compose.yml.j2 b/docker-compose/blocky/docker-compose.yml.j2 new file mode 100644 index 00000000..684bf326 --- /dev/null +++ b/docker-compose/blocky/docker-compose.yml.j2 @@ -0,0 +1,16 @@ +version: "2.1" +services: + blocky: + image: spx01/blocky + container_name: blocky + restart: unless-stopped + ports: + - "53:53/tcp" + - "53:53/udp" + environment: + - TZ=Europe/Berlin + volumes: + # config file + - ./config.yml:/app/config.yml + +# kann mit dig @192.168.2.43 -p 54 alternate.de getestet werden diff --git a/docker-compose/munin/docker-compose.yml.j2 b/docker-compose/munin/docker-compose.yml.j2 index 70130b81..530bc705 100644 --- a/docker-compose/munin/docker-compose.yml.j2 +++ b/docker-compose/munin/docker-compose.yml.j2 @@ -23,8 +23,7 @@ services: pve5.grote.lan:pve5.grote.lan dokuwiki2.grote.lan:dokuwiki2.grote.lan gitea.grote.lan:gitea.grote.lan - docker10.grote.lan:docker10.grote.lan - dnsmasq.grote.lan:dnsmasq.grote.lan' + docker10.grote.lan:docker10.grote.lan' # z.B. # computer-test.grote.lan.test:192.68.2.4 # computer.grote.lan:computer.grote.lan diff --git a/group_vars/dnsmasq.yml b/group_vars/dnsmasq.yml deleted file mode 100644 index 3726cf29..00000000 --- a/group_vars/dnsmasq.yml +++ /dev/null @@ -1,98 +0,0 @@ ---- - ### oefenweb.ufw - ufw_rules: - - rule: allow - to_port: 22 - protocol: tcp - comment: 'ssh' - from_ip: 0.0.0.0/0 - - rule: allow - to_port: 4949 - protocol: tcp - comment: 'munin' - from_ip: 192.168.2.144/24 - - rule: allow - to_port: 53 - comment: 'dns' - from_ip: 0.0.0.0/0 - ### mgrote.restic - restic_repository: "//192.168.2.54/restic" - ### mgrote.apt_manage_sources - # wird leer gesetzt da dnsmasq NICHT den Router befragt und daher keine Lokalen Hostnamen abfragen kann - manage_sources_apt_proxy: "" - ### mgrote.apt_manage_packages - # hier mit IP statt Hostnamen da dnsmasq NICHT den Router befragt und daher keine Lokalen Hostnamen abfragen kann - apt_packages_internet: - - http://192.168.2.43:3344/bash-helper-scripts-mgrote/bash-helper-scripts-mgrote-latest.deb - ### mgrote.munin-node - munin_node_plugins: - - name: timesync - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/timesync_status - - name: systemd_status - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status - - name: systemd_mem - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem - config: | - [systemd_mem] - env.all_services true - - name: lvm_ - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_ - config: | - [lvm_*] - user root - - name: fail2ban - src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban - config: | - [fail2ban] - env.client /usr/bin/fail2ban-client - env.config_dir /etc/fail2ban - user root - - name: dnsmasq - src: https://git.mgrote.net/mg/mirror-dnsmasq-munin/raw/branch/master/dnsmasq - config: | - [dnsmasq] - env.logfile {{ dnsmasq_logfile }} - user root - - name: dnsresponse_192.168.2.1 - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ - - name: dnsresponse_127.0.0.1 - src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ - config: | - [dnsresponse_*] - env.site www.heise.de - env.times 20 - ### mgrote.dnsmasq - # Welche DNS-Server soll dnsmasq anfragen? - dnsmasq_resolver: - - 9.9.9.9 - - 1.1.1.1 - dnsmasq_log_queries: true # has to be true for munin - dnsmasq_logfile: /var/log/dnsmasq.log - dnsmasq_blocklists: - - name: sysctl.org - state: present - url: http://sysctl.org/cameleon/hosts - - name: StevenBlack.1 - state: present - url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts - - name: StevenBlack.2 - state: present - url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts - - name: adaway.org - state: present - url: https://adaway.org/hosts.txt - - name: StevenBlack.3 - state: present - url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts - - name: developerdan.1 - state: present - url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt - - name: developerdan.2 - state: present - url: https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt - dnsmasq_cache_size: 10000 - dnsmasq_port: 53 - dnsmasq_never_forward_domain: grote.lan - ### mgrote.apt_manage_packages - apt_packages_extra: - - libnet-dns-perl # für munin: dnsresponse_* diff --git a/host_vars/docker10.grote.lan.yml b/host_vars/docker10.grote.lan.yml index 00665a06..921ec8b0 100644 --- a/host_vars/docker10.grote.lan.yml +++ b/host_vars/docker10.grote.lan.yml @@ -75,6 +75,8 @@ state: absent - name: watchtower state: present + - name: blocky + state: present #### mgrote.set_permissions dir_permissions: @@ -110,6 +112,7 @@ ### mgrote.apt_manage_packages apt_packages_extra: + - libnet-dns-perl # für munin: dnsresponse_* - libwww-curl-perl # für munin-plugin: unifi - libjson-perl # für munin-plugin: unifi - sshpass # fur munin mt_system_* @@ -293,3 +296,13 @@ env.SLRM_MAIL {{ lookup('keepass', 'SLRM_MAIL', 'password') }} env.SLRM_PASSWORD {{ lookup('keepass', 'SLRM_PASSWORD', 'password') }} env.SLRM_APPSECRET {{ lookup('keepass', 'SLRM_APPSECRET', 'password') }} + - name: dnsresponse_192.168.2.1 + src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ + - name: dnsresponse_192.168.2.43 + src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ + - name: dnsresponse_127.0.0.1 + src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_ + config: | + [dnsresponse_*] + env.site www.heise.de + env.times 20 diff --git a/inventory b/inventory index 80ab3b0b..800c6da4 100644 --- a/inventory +++ b/inventory @@ -6,9 +6,6 @@ all: fileserver: hosts: fileserver3.grote.lan: - dnsmasq: - hosts: - dnsmasq.grote.lan: acng: hosts: acng2.grote.lan: @@ -40,7 +37,6 @@ all: ansible2.grote.lan: pve5.grote.lan: gitea.grote.lan: - dnsmasq.grote.lan: docker10.grote.lan: test: hosts: diff --git a/playbooks/3_service/docker.yml b/playbooks/3_service/docker.yml index c7d5a93f..cb55bce8 100644 --- a/playbooks/3_service/docker.yml +++ b/playbooks/3_service/docker.yml @@ -1,6 +1,7 @@ --- - hosts: docker roles: + - { role: mgrote.systemd-resolved, tags: "dns", become: true } - { role: geerlingguy.pip, tags: "pip", become: true } - { role: geerlingguy.docker, tags: "docker", become: true } - { role: gantsign.ctop, tags: "ctop", become: true } diff --git a/roles/mgrote.systemd-resolved/README.md b/roles/mgrote.systemd-resolved/README.md new file mode 100644 index 00000000..99eae4cf --- /dev/null +++ b/roles/mgrote.systemd-resolved/README.md @@ -0,0 +1,3 @@ +# mgrote.systemd-resolved + +This role disables the `systemd-resolved stub-listener` to free port `53` and sets the specified DNS-Server instead. diff --git a/roles/mgrote.systemd-resolved/defaults/main.yml b/roles/mgrote.systemd-resolved/defaults/main.yml new file mode 100644 index 00000000..b8b25d65 --- /dev/null +++ b/roles/mgrote.systemd-resolved/defaults/main.yml @@ -0,0 +1 @@ +nameserver: 192.168.2.1 diff --git a/roles/mgrote.systemd-resolved/handlers/main.yml b/roles/mgrote.systemd-resolved/handlers/main.yml new file mode 100644 index 00000000..f5ddad62 --- /dev/null +++ b/roles/mgrote.systemd-resolved/handlers/main.yml @@ -0,0 +1,5 @@ +--- + - name: restart systemd-resolved + ansible.builtin.systemd: + state: restarted + name: systemd-resolved diff --git a/roles/mgrote.systemd-resolved/tasks/main.yml b/roles/mgrote.systemd-resolved/tasks/main.yml new file mode 100644 index 00000000..13d438fc --- /dev/null +++ b/roles/mgrote.systemd-resolved/tasks/main.yml @@ -0,0 +1,24 @@ +--- + - name: Make sure systemd-resolved is running + ansible.builtin.systemd: + state: started + masked: false + name: systemd-resolved + + - name: template /etc/systemd/resolved.conf + ansible.builtin.template: + src: resolved.conf.j2 + dest: /etc/systemd/resolved.conf + owner: root + group: root + mode: '0644' + notify: restart systemd-resolved + + - name: template /etc/resolv.conf + ansible.builtin.template: + src: resolv.conf.j2 + dest: /etc/resolv.conf + owner: root + group: root + mode: '0644' + notify: restart systemd-resolved diff --git a/roles/mgrote.systemd-resolved/templates/resolv.conf.j2 b/roles/mgrote.systemd-resolved/templates/resolv.conf.j2 new file mode 100644 index 00000000..e9b784a9 --- /dev/null +++ b/roles/mgrote.systemd-resolved/templates/resolv.conf.j2 @@ -0,0 +1,3 @@ +{{ file_header | default () }} + +nameserver {{ nameserver }} diff --git a/roles/mgrote.systemd-resolved/templates/resolved.conf.j2 b/roles/mgrote.systemd-resolved/templates/resolved.conf.j2 new file mode 100644 index 00000000..f0851fd8 --- /dev/null +++ b/roles/mgrote.systemd-resolved/templates/resolved.conf.j2 @@ -0,0 +1,36 @@ +{{ file_header | default () }} + +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free +# Software Foundation; either version 2.1 of the License, or (at your option) +# any later version. +# +# Entries in this file show the compile time defaults. Local configuration +# should be created by either modifying this file, or by creating "drop-ins" in +# the resolved.conf.d/ subdirectory. The latter is generally recommended. +# Defaults can be restored by simply deleting this file and all drop-ins. +# +# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. +# +# See resolved.conf(5) for details. + +[Resolve] +# Some examples of DNS servers which may be used for DNS= and FallbackDNS=: +# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com +# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google +# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net +#DNS= +#FallbackDNS= +#Domains= +#DNSSEC=no +#DNSOverTLS=no +#MulticastDNS=no +#LLMNR=no +#Cache=no-negative +#CacheFromLocalhost=no +DNSStubListener=no +#DNSStubListenerExtra= +#ReadEtcHosts=yes +#ResolveUnicastSingleLabel=no