DNS related changes

- Added hostname provisioning
- Added nsswitch.conf provisioning
- Added systemd-resolved provisioning

playbook.yml

@@ -53,10 +53,10 @@
       ansible.builtin.import_tasks: 'handlers.yml'
   vars_files:
     - 'vars/main.yml'
-    - 'vars/nginx.yml'
-    - 'vars/network.yml'
     - 'vars/vpn.yml'
     - 'vars/vpn_media.yml'
+    - 'vars/network.yml'
+    - 'vars/nginx.yml'
     - 'vars/transmission.yml'
     - 'vars/syncthing.yml'
     - 'vars/mpd.yml'

tasks/mpd.yml

@@ -1,3 +1,4 @@
+# TODO: use docker setup
 - name: create mpd directories
   become: true
   file:

tasks/network.yml

@@ -1,29 +1,49 @@
-- name: copy network configuration files
+- name: Copy network configuration files
   become: true
-  template:
+  ansible.builtin.template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
     owner: root
     group: systemd-network
     mode: '0640'
   loop:
-    - {
+    - src: 'templates/network/link1.link.j2'
-        src: 'templates/network/link1.link.j2',
+      dest: '/etc/systemd/network/98-link1.link'
-        dest: '/etc/systemd/network/98-link1.link'
+
-      }
+    - src: 'templates/network/link1.network.j2'
-    - {
+      dest: '/etc/systemd/network/98-link1.network'
-        src: 'templates/network/link1.network.j2',
-        dest: '/etc/systemd/network/98-link1.network',
-      }
   notify:
     - restart systemd-networkd
     - regenerate initramfs # copies the files into the initramfs for when udev needs them
 
-- name: copy /etc/hosts template
+- name: Set hostname
   become: true
-  template:
+  ansible.builtin.hostname:
-    src: 'hosts.j2'
+    name: '{{ hostname }}'
+    use: systemd
+
+- name: Copy hosts file
+  become: true
+  ansible.builtin.template:
+    src: 'network/hosts.j2'
     dest: '/etc/hosts'
     mode: '0644'
     owner: root
-  notify: restart systemd-networkd
+
+- name: Copy resolved.conf configuration
+  become: true
+  ansible.builtin.template:
+    src: 'network/resolved.j2'
+    dest: '/etc/systemd/resolved.conf'
+    mode: '0644'
+    owner: root
+
+- name: Copy firewall template
+  become: true
+  ansible.builtin.template:
+    src: 'templates/nftables.j2'
+    dest: '/etc/nftables.conf'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart nftables

tasks/radicale.yml

@@ -1,3 +1,4 @@
+# TODO: use docker setup
 # TODO: update collection path, see https://radicale.org/3.0.html#tutorials/running-as-a-service
 
 - name: add radicale user

tasks/setup.yml

@@ -1,12 +1,10 @@
-- name: Copy firewall template
+- name: Copy nsswitch file
   become: true
   ansible.builtin.template:
-    src: 'templates/nftables.j2'
+    src: 'nsswitch.j2'
-    dest: '/etc/nftables.conf'
+    dest: '/etc/nsswitch.conf'
-    owner: root
-    group: root
     mode: '0644'
-  notify: restart nftables
+    owner: root
 
 - name: Copy ssh template
   become: true

tasks/syncthing.yml

@@ -1,3 +1,4 @@
+# TODO: use docker setup
 - name: create syncthing directory
   file:
     path: '{{ ansible_env.HOME }}/.config/syncthing'

templates/network/hosts.j2

@@ -1,8 +1,10 @@
 # {{ ansible_managed }}
 
 127.0.0.1 	localhost
-127.0.1.1 	zeus
+127.0.1.1 	{{ hostname }}
-{{ lan_ip }} 	{{ domain_name }}
+{{ lan_ip }} 	{{ domain_name }} {{ hostname }}
+{{ vpn_listen_address }}    {{ vpn_domain }}
+{{ vpn_media_listen_address }}    {{ vpn_media_domain }}
 
 # The following lines are desirable for IPv6 capable hosts
 #::1     localhost ip6-localhost ip6-loopback

templates/network/resolved.j2

@@ -0,0 +1,37 @@
+# {{ ansible_managed }}
+#
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file, or by creating "drop-ins" in
+# the resolved.conf.d/ subdirectory. The latter is generally recommended.
+# Defaults can be restored by simply deleting this file and all drop-ins.
+#
+# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
+#
+# See resolved.conf(5) for details.
+
+[Resolve]
+# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
+# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
+# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
+# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
+#DNS=
+#FallbackDNS=
+#Domains=
+#DNSSEC=no
+#DNSOverTLS=no
+#MulticastDNS=yes
+#LLMNR=yes
+#Cache=yes
+#CacheFromLocalhost=no
+#DNSStubListener=yes
+DNSStubListenerExtra={{ vpn_listen_address }}
+DNSStubListenerExtra={{ vpn_media_listen_address }}
+#ReadEtcHosts=yes
+#ResolveUnicastSingleLabel=no

templates/network/wireguard/default/mobile.wireguard.j2

@@ -2,6 +2,7 @@
 
 [Interface]
 Address={{ vpn_peers.mobile.ip }}/24
+DNS={{ vpn_listen_address }}
 PrivateKey={{ lookup("file", vpn_peers.mobile.private_key_source_path) }}
 
 [Peer]

templates/network/wireguard/media/mobile_1.wireguard.j2

@@ -2,6 +2,7 @@
 
 [Interface]
 Address={{ vpn_media_peers.mobile_peer_1.ip }}/24
+DNS={{ vpn_media_listen_address }}
 PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_1.private_key_source_path) }}
 
 [Peer]

templates/network/wireguard/media/mobile_2.wireguard.j2

@@ -2,6 +2,7 @@
 
 [Interface]
 Address={{ vpn_media_peers.mobile_peer_2.ip }}/24
+DNS={{ vpn_media_listen_address }}
 PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_2.private_key_source_path) }}
 
 [Peer]

templates/network/wireguard/media/tv.wireguard.j2

@@ -2,6 +2,7 @@
 
 [Interface]
 Address={{ vpn_media_peers.tv.ip }}/24
+DNS={{ vpn_media_listen_address }}
 PrivateKey={{ lookup('file', vpn_media_peers.tv.private_key_source_path) }}
 
 [Peer]

templates/nftables.j2

@@ -27,6 +27,10 @@ table ip filter {
     iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard"
     iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media"
 
+    # TODO: create combined rule
+    iifname "{{ vpn_interface }}" tcp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS TCP"
+    iifname "{{ vpn_interface }}" udp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS UDP"
+
     iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
     iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web"
     iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing"
@@ -35,6 +39,10 @@ table ip filter {
     iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream"
     iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP mobile stream"
 
+    # TODO: create combined rule
+    iifname "{{ vpn_media_interface }}" tcp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS TCP"
+    iifname "{{ vpn_media_interface }}" udp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS UDP"
+
     iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP"
     iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_service_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin service discovery"
     iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_client_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin client discovery"

templates/nsswitch.j2

@@ -0,0 +1,20 @@
+# {{ ansible_managed }}
+#
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+# See /usr/share/libc-bin/nsswitch.conf for an example of a configuration file.
+
+passwd:         files
+group:          files
+shadow:         files
+gshadow:        files
+
+hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis

vars/main.yml

@@ -13,3 +13,5 @@ packages:
   - unattended-upgrades
 
 vpn_config_dir: '/etc/wireguard'
+
+hostname: 'fudiggity'

vars/nginx.yml

@@ -1,4 +1,3 @@
-domain_name: 'fudiggity.nl'
 forgejo_domain: 'forgejo.fudiggity.nl'
 woodpecker_domain: 'woodpecker.fudiggity.nl'
 glitchtip_domain: 'glitchtip.fudiggity.nl'

vars/vpn.yml

@@ -1,4 +1,5 @@
 vpn_listen_address: '10.0.0.1'
+vpn_domain: 'vpn.{{ domain_name }}'
 vpn_subnet: '24'
 vpn_port: '51902'
 vpn_interface: 'wg0'

vars/vpn_media.yml

@@ -1,4 +1,5 @@
 vpn_media_listen_address: '10.0.1.1'
+vpn_media_domain: 'media-vpn.{{ domain_name }}'
 vpn_media_subnet: '24'
 vpn_media_port: '51903'
 vpn_media_interface: 'wg1'