From e09fb25104227346ebb30c284efadd105a8c2a10 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Sat, 23 May 2020 17:50:28 +0200
Subject: [PATCH] Added role misc/dnsmasq as dnssec resolver

---
 group_vars/all/vars.yml                   | 11 +++++++++
 group_vars/bwcloud_vserver.yml            |  5 ++++
 group_vars/contabo_vserver.yml            |  4 ++++
 roles/misc/dnsmasq/defaults/main.yml      |  5 ++++
 roles/misc/dnsmasq/handlers/main.yml      |  7 ++++++
 roles/misc/dnsmasq/tasks/main.yml         | 28 +++++++++++++++++++++++
 roles/misc/dnsmasq/templates/dnsmasq.conf | 18 +++++++++++++++
 roles/misc/dnsmasq/templates/resolv.conf  |  2 ++
 8 files changed, 80 insertions(+)
 create mode 100644 roles/misc/dnsmasq/defaults/main.yml
 create mode 100644 roles/misc/dnsmasq/handlers/main.yml
 create mode 100644 roles/misc/dnsmasq/tasks/main.yml
 create mode 100644 roles/misc/dnsmasq/templates/dnsmasq.conf
 create mode 100644 roles/misc/dnsmasq/templates/resolv.conf

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 7664d4f..83b1f4f 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -65,6 +65,15 @@ global_apt_sources_directory: "/etc/apt/sources.list.d"
 global_bind_configuration_directory: "/etc/bind"
 global_dns_zones_environment_directory: "{{ global_configuration_environment_directory }}/dns-zones"
 
+global_dns_upstream_servers:
+  - "9.9.9.11"
+  - "149.112.112.11"
+  - "2620:fe::11"
+  - "2620:fe::fe:11"
+
+global_dnsmasq_configuration_file: "/etc/dnsmasq.conf"
+global_dnsmasq_configuration_directory: "/etc/dnsmasq.d"
+
 global_ip_discover_url: "https://keys.banananet.work/ping"
 global_ip_discover_register_pass: "{{ lookup('password', 'credentials/ip_discover/register_pass chars=digits,ascii_letters length=256') }}"
 
@@ -75,6 +84,8 @@ global_nfs_directory: "{{ global_webservers_directory }}/nfs"
 
 global_pamd: "/etc/pam.d"
 
+global_resolv_conf: "/etc/resolv.conf"
+
 global_ssh_configuration_directory: "/etc/ssh/"
 global_ssh_configuration_environment_directory: "{{ global_configuration_environment_directory }}/ssh"
 global_ssh_configuration_link_name: "config"
diff --git a/group_vars/bwcloud_vserver.yml b/group_vars/bwcloud_vserver.yml
index 6e90082..60ba75d 100644
--- a/group_vars/bwcloud_vserver.yml
+++ b/group_vars/bwcloud_vserver.yml
@@ -3,3 +3,8 @@
 bootstrap_user: "debian"
 
 mysql_query_cache_size: 1G
+
+# Currently disabled because upstream servers do not support forwarding DNSSEC related records
+#global_dns_upstream_servers:
+#  - 129.143.2.1
+#  - 129.143.2.4
diff --git a/group_vars/contabo_vserver.yml b/group_vars/contabo_vserver.yml
index ed97d53..58c15ef 100644
--- a/group_vars/contabo_vserver.yml
+++ b/group_vars/contabo_vserver.yml
@@ -1 +1,5 @@
 ---
+
+global_dns_upstream_servers:
+  - 213.136.95.10
+  - 213.136.95.11
diff --git a/roles/misc/dnsmasq/defaults/main.yml b/roles/misc/dnsmasq/defaults/main.yml
new file mode 100644
index 0000000..de29f24
--- /dev/null
+++ b/roles/misc/dnsmasq/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+
+listen_address: "127.0.0.53" # Needs to be an address of the loopback device
+
+cache_size: 10000
diff --git a/roles/misc/dnsmasq/handlers/main.yml b/roles/misc/dnsmasq/handlers/main.yml
new file mode 100644
index 0000000..9970616
--- /dev/null
+++ b/roles/misc/dnsmasq/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+
+- name: restart dnsmasq
+  systemd:
+    state: restarted
+    name: dnsmasq.service
+    enabled: yes
diff --git a/roles/misc/dnsmasq/tasks/main.yml b/roles/misc/dnsmasq/tasks/main.yml
new file mode 100644
index 0000000..4a427bc
--- /dev/null
+++ b/roles/misc/dnsmasq/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+
+- name: Install required packages
+  apt:
+    state: present
+    name:
+      - dnsmasq
+
+- name: Configure dnsmasq
+  template:
+    src: dnsmasq.conf
+    dest: "{{ global_dnsmasq_configuration_directory }}/0_main.conf"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+    validate: "/usr/sbin/dnsmasq --test --conf-file=%s"
+  notify: restart dnsmasq
+
+- meta: flush_handlers
+
+- name: Configure system to use dnsmasq
+  template:
+    src: resolv.conf
+    dest: "{{ global_resolv_conf }}"
+    owner: root
+    group: root
+    mode: u=r,g=r,o=r
+    attributes: +i # immutable, may will let this task failing
diff --git a/roles/misc/dnsmasq/templates/dnsmasq.conf b/roles/misc/dnsmasq/templates/dnsmasq.conf
new file mode 100644
index 0000000..a53113c
--- /dev/null
+++ b/roles/misc/dnsmasq/templates/dnsmasq.conf
@@ -0,0 +1,18 @@
+# Bind only on loopback interface
+bind-interfaces
+interface=lo
+listen-address={{ listen_address }}
+# Supress resolv.conf
+no-resolv
+no-poll
+# Upstream dns servers
+{% for ip in global_dns_upstream_servers %}
+server={{ ip }}
+{% endfor %}
+# Enable caching
+cache-size={{ cache_size }}
+# Require full domains to be forwarded
+domain-needed
+# Verify dnssec values
+dnssec
+dnssec-check-unsigned
diff --git a/roles/misc/dnsmasq/templates/resolv.conf b/roles/misc/dnsmasq/templates/resolv.conf
new file mode 100644
index 0000000..f96c6a3
--- /dev/null
+++ b/roles/misc/dnsmasq/templates/resolv.conf
@@ -0,0 +1,2 @@
+# resolv.conf generated by Ansible to local dnsmasq
+nameserver {{ listen_address }}