dnsmasq -- > blocky (#486)

Co-authored-by: Michael Grote <michael.grote@posteo.de>
Reviewed-on: #486

docker-compose/blocky/config.yml.j2

@@ -0,0 +1,48 @@
+# https://0xerr0r.github.io/blocky/v0.20/configuration/#basic-configuration
+upstream:
+  default:
+    - 9.9.9.9
+    - 8.8.8.8
+upstreamTimeout: 2s
+
+port: 53
+httpPort: 4000
+
+connectIPVersion: v4
+
+queryLog:
+  type: console
+
+customDNS:
+  mapping:
+    mgrote.net: 192.168.2.43 # nötig damit z.B. oxidized pushen kann
+
+conditional:
+  mapping:
+    grote.lan: 192.168.2.1
+
+blocking:
+  startStrategy: failOnError # like blocking but blocky will shut down if any download fails
+  blockType: nxDomain
+  blockTTL: 360s
+  refreshPeriod: 60m
+  blackLists:
+    ads:
+      - http://sysctl.org/cameleon/hosts
+      - https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
+      - https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
+      - https://adaway.org/hosts.txt
+      - https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
+      - https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
+      - https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
+#      - |
+#        # inline definition with YAML literal block scalar style
+#        someadsdomain.com
+#        anotheradsdomain.com
+#        # this is a regex
+#        /^banners?[_.-]/
+#  whiteLists:
+#    ads:
+#      - |
+#        # inline definition with YAML literal block scalar style
+#        whitelistdomain.com

docker-compose/blocky/docker-compose.yml.j2

@@ -0,0 +1,16 @@
+version: "2.1"
+services:
+  blocky:
+    image: spx01/blocky
+    container_name: blocky
+    restart: unless-stopped
+    ports:
+      - "53:53/tcp"
+      - "53:53/udp"
+    environment:
+      - TZ=Europe/Berlin
+    volumes:
+      # config file
+      - ./config.yml:/app/config.yml
+
+# kann mit dig @192.168.2.43 -p 54 alternate.de getestet werden

docker-compose/munin/docker-compose.yml.j2

@@ -23,8 +23,7 @@ services:
       pve5.grote.lan:pve5.grote.lan
       dokuwiki2.grote.lan:dokuwiki2.grote.lan
       gitea.grote.lan:gitea.grote.lan
-      docker10.grote.lan:docker10.grote.lan
+      docker10.grote.lan:docker10.grote.lan'
-      dnsmasq.grote.lan:dnsmasq.grote.lan'
       # z.B.
       # computer-test.grote.lan.test:192.68.2.4
       # computer.grote.lan:computer.grote.lan

group_vars/dnsmasq.yml

@@ -1,98 +0,0 @@
----
-  ### oefenweb.ufw
-  ufw_rules:
-    - rule: allow
-      to_port: 22
-      protocol: tcp
-      comment: 'ssh'
-      from_ip: 0.0.0.0/0
-    - rule: allow
-      to_port: 4949
-      protocol: tcp
-      comment: 'munin'
-      from_ip: 192.168.2.144/24
-    - rule: allow
-      to_port: 53
-      comment: 'dns'
-      from_ip: 0.0.0.0/0
-  ### mgrote.restic
-  restic_repository: "//192.168.2.54/restic"
-  ### mgrote.apt_manage_sources
-  # wird leer gesetzt da dnsmasq NICHT den Router befragt und daher keine Lokalen Hostnamen abfragen kann
-  manage_sources_apt_proxy: ""
-  ### mgrote.apt_manage_packages
-  # hier mit IP statt Hostnamen da dnsmasq NICHT den Router befragt und daher keine Lokalen Hostnamen abfragen kann
-  apt_packages_internet:
-    - http://192.168.2.43:3344/bash-helper-scripts-mgrote/bash-helper-scripts-mgrote-latest.deb
-  ### mgrote.munin-node
-  munin_node_plugins:
-    - name: timesync
-      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/timesync_status
-    - name: systemd_status
-      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_status
-    - name: systemd_mem
-      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/systemd/systemd_mem
-      config: |
-        [systemd_mem]
-        env.all_services true
-    - name: lvm_
-      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/disk/lvm_
-      config: |
-        [lvm_*]
-        user root
-    - name: fail2ban
-      src: https://git.mgrote.net/mg/munin-plugins/raw/branch/master/extern/fail2ban
-      config: |
-        [fail2ban]
-        env.client /usr/bin/fail2ban-client
-        env.config_dir /etc/fail2ban
-        user root
-    - name: dnsmasq
-      src: https://git.mgrote.net/mg/mirror-dnsmasq-munin/raw/branch/master/dnsmasq
-      config: |
-        [dnsmasq]
-        env.logfile {{ dnsmasq_logfile }}
-        user root
-    - name: dnsresponse_192.168.2.1
-      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
-    - name: dnsresponse_127.0.0.1
-      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
-      config: |
-        [dnsresponse_*]
-        env.site www.heise.de
-        env.times 20
-  ### mgrote.dnsmasq
-  # Welche DNS-Server soll dnsmasq anfragen?
-  dnsmasq_resolver:
-    - 9.9.9.9
-    - 1.1.1.1
-  dnsmasq_log_queries: true # has to be true for munin
-  dnsmasq_logfile: /var/log/dnsmasq.log
-  dnsmasq_blocklists:
-    - name: sysctl.org
-      state: present
-      url: http://sysctl.org/cameleon/hosts
-    - name: StevenBlack.1
-      state: present
-      url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
-    - name: StevenBlack.2
-      state: present
-      url: https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
-    - name: adaway.org
-      state: present
-      url: https://adaway.org/hosts.txt
-    - name: StevenBlack.3
-      state: present
-      url: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
-    - name: developerdan.1
-      state: present
-      url: https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
-    - name: developerdan.2
-      state: present
-      url: https://www.github.developerdan.com/hosts/lists/amp-hosts-extended.txt
-  dnsmasq_cache_size: 10000
-  dnsmasq_port: 53
-  dnsmasq_never_forward_domain: grote.lan
-  ### mgrote.apt_manage_packages
-  apt_packages_extra:
-    - libnet-dns-perl # für munin: dnsresponse_*

host_vars/docker10.grote.lan.yml

@@ -75,6 +75,8 @@
       state: absent
     - name: watchtower
       state: present
+    - name: blocky
+      state: present
 
   #### mgrote.set_permissions
   dir_permissions:
@@ -110,6 +112,7 @@
 
   ### mgrote.apt_manage_packages
   apt_packages_extra:
+    - libnet-dns-perl # für munin: dnsresponse_*
     - libwww-curl-perl # für munin-plugin: unifi
     - libjson-perl # für munin-plugin: unifi
     - sshpass # fur munin mt_system_*
@@ -293,3 +296,13 @@
         env.SLRM_MAIL {{ lookup('keepass', 'SLRM_MAIL', 'password') }}
         env.SLRM_PASSWORD {{ lookup('keepass', 'SLRM_PASSWORD', 'password') }}
         env.SLRM_APPSECRET {{ lookup('keepass', 'SLRM_APPSECRET', 'password') }}
+    - name: dnsresponse_192.168.2.1
+      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+    - name: dnsresponse_192.168.2.43
+      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+    - name: dnsresponse_127.0.0.1
+      src: https://git.mgrote.net/mg/mirror-munin-contrib/raw/branch/master/plugins/network/dns/dnsresponse_
+      config: |
+        [dnsresponse_*]
+        env.site www.heise.de
+        env.times 20

inventory

@@ -6,9 +6,6 @@ all:
     fileserver:
       hosts:
         fileserver3.grote.lan:
-    dnsmasq:
-      hosts:
-        dnsmasq.grote.lan:
     acng:
       hosts:
         acng2.grote.lan:
@@ -40,7 +37,6 @@ all:
         ansible2.grote.lan:
         pve5.grote.lan:
         gitea.grote.lan:
-        dnsmasq.grote.lan:
         docker10.grote.lan:
     test:
       hosts:

playbooks/3_service/docker.yml

@@ -1,6 +1,7 @@
 ---
 - hosts: docker
   roles:
+    - { role: mgrote.systemd-resolved, tags: "dns", become: true }
     - { role: geerlingguy.pip, tags: "pip", become: true }
     - { role: geerlingguy.docker, tags: "docker", become: true }
     - { role: gantsign.ctop, tags: "ctop", become: true }

roles/mgrote.systemd-resolved/README.md

@@ -0,0 +1,3 @@
+# mgrote.systemd-resolved
+
+This role disables the `systemd-resolved stub-listener` to free port `53` and sets the specified DNS-Server instead. 

roles/mgrote.systemd-resolved/defaults/main.yml

@@ -0,0 +1 @@
+nameserver: 192.168.2.1

roles/mgrote.systemd-resolved/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+  - name: restart systemd-resolved
+    ansible.builtin.systemd:
+      state: restarted
+      name: systemd-resolved

roles/mgrote.systemd-resolved/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+  - name: Make sure systemd-resolved is running
+    ansible.builtin.systemd:
+      state: started
+      masked: false
+      name: systemd-resolved
+
+  - name: template /etc/systemd/resolved.conf
+    ansible.builtin.template:
+      src: resolved.conf.j2
+      dest: /etc/systemd/resolved.conf
+      owner: root
+      group: root
+      mode: '0644'
+    notify: restart systemd-resolved
+
+  - name: template /etc/resolv.conf
+    ansible.builtin.template:
+      src: resolv.conf.j2
+      dest: /etc/resolv.conf
+      owner: root
+      group: root
+      mode: '0644'
+    notify: restart systemd-resolved

roles/mgrote.systemd-resolved/templates/resolv.conf.j2

@@ -0,0 +1,3 @@
+{{ file_header | default () }}
+
+nameserver {{ nameserver }}

roles/mgrote.systemd-resolved/templates/resolved.conf.j2

@@ -0,0 +1,36 @@
+{{ file_header | default () }}
+
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file, or by creating "drop-ins" in
+# the resolved.conf.d/ subdirectory. The latter is generally recommended.
+# Defaults can be restored by simply deleting this file and all drop-ins.
+#
+# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
+#
+# See resolved.conf(5) for details.
+
+[Resolve]
+# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
+# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
+# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
+# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+#DNS=
+#FallbackDNS=
+#Domains=
+#DNSSEC=no
+#DNSOverTLS=no
+#MulticastDNS=no
+#LLMNR=no
+#Cache=no-negative
+#CacheFromLocalhost=no
+DNSStubListener=no
+#DNSStubListenerExtra=
+#ReadEtcHosts=yes
+#ResolveUnicastSingleLabel=no