diff --git a/ansible-deployment/README.md b/ansible-deployment/README.md new file mode 100644 index 00000000..84fe818f --- /dev/null +++ b/ansible-deployment/README.md @@ -0,0 +1,43 @@ +Role Name +========= + +An ansible playbook for deploy dim + +Requirements +------------ + +`python3` on the remote servers (dnf install python36 -y) + +This ansible only works on `Rocky Linux 8.5`, for more linux distro please test it. + +`Sudoer user`: The ansible user should be a member of the wheel group. and can use sudo without password. + +**Befor you run the ansible dim, you need to install the following packages:** + +```bash +ansible-galaxy collection install ansible.posix +ansible-galaxy collection install community.mysql +``` + +Role Variables +-------------- + +Check the `inventory` directory for a list of variables that can be passed into the role. + + +How to use +----------- + +```bash +ansible-playbook -i inventory/dim-servers.ini dim.yml --become --become-method=sudo +``` + +License +------- + +BSD + +Author Information +------------------ + +Milad Norouzi (milad.norouzi1370@gmail.com) diff --git a/ansible-deployment/dim.yml b/ansible-deployment/dim.yml new file mode 100644 index 00000000..27c984a1 --- /dev/null +++ b/ansible-deployment/dim.yml @@ -0,0 +1,5 @@ +- hosts: all + roles: + - role: dim + gather_facts: yes + any_errors_fatal: true diff --git a/ansible-deployment/inventory/dim-servers.ini b/ansible-deployment/inventory/dim-servers.ini new file mode 100644 index 00000000..20406b03 --- /dev/null +++ b/ansible-deployment/inventory/dim-servers.ini @@ -0,0 +1,7 @@ +[all] +dim ansible_host=5.34.207.235 + +[all:vars] +ansible_user=rocky +ansible_port=22 +ansible_python_interpreter = "/usr/bin/python3" diff --git a/ansible-deployment/inventory/group_vars/all.yaml b/ansible-deployment/inventory/group_vars/all.yaml new file mode 100644 index 00000000..51afdd42 --- /dev/null +++ b/ansible-deployment/inventory/group_vars/all.yaml @@ -0,0 +1,67 @@ +# General +install_ansible_modules: "true" +disable_transparent_huge_pages: "true" +setup_interface: "false" + +# Domain +domain_name: "example.com" + +#DIM-Network +network_path: "/etc/sysconfig/network-scripts" +network_scripts_url: "https://dl.rockylinux.org/pub/rocky/9/devel/x86_64/os/Packages/n/network-scripts-10.11.5-1.el9.x86_64.rpm" # For rocky linux 9 +network_scripts_dest: "/tmp" +network_scripts_package: "network-scripts-10.11.5-1.el9.x86_64.rpm" + +# DIM DB +dim_db_name: "dim" +pdns_int_db_name: "pdns_int" +pdns_pub_db_name: "pdns_pub" + + +# DIM DB info +dim_db_user_name: "dim_user" +dim_db_user_password: "dim_pass" +dim_db_priv: "dim.*:ALL" +dim_secret_key: "SuperSecretTtestkey" + +# pdns_int DB info +dim_pdns_int_db_user_name: "dim_pdns_int_user" +dim_pdns_int_db_user_password: "SuperSecret1" +dim_pdns_int_db_priv: "pdns_int.*:INSERT,UPDATE,DELETE,SELECT" +pdns_int_db_user_name: "pdns_int_user" +pdns_int_db_user_password: "SuperSecret4" +pdns_int_db_priv: "pdns_int.*:SELECT" + +# pdns_pub DB info +dim_pdns_pub_db_user_name: "dim_pdns_pub_user" +dim_pdns_pub_db_user_password: "SuperSecret2" +dim_pdns_pub_db_priv: "pdns_pub.*:INSERT,UPDATE,DELETE,SELECT" +pdns_pub_db_user_name: "pdns_pub_user" +pdns_pub_db_user_password: "SuperSecret3" +pdns_pub_db_priv: "pdns_pub.*:SELECT" + +# SQL +sql_url: "https://raw.githubusercontent.com/1and1/dim/master/dim/pdns.sql" +sql_file_path: "/tmp/pdns.sql" + +# PowerDNS +pdns_conf_dir: "/etc/pdns" +pdns_recursor_conf_path: "/etc/pdns-recursor" + +# DIM +dim_config_path: "/etc/dim" +din_example_path: "/srv/http/dim.example.com" + +dim_url: "https://github.com/1and1/dim/releases/download/dim-4.0.9/dim-4.0.9-1.el8.x86_64.rpm" +dimclient_url: "https://github.com/1and1/dim/releases/download/dimclient-0.4.5/python3-dimclient-0.4.5-1.el8.x86_64.rpm" +ndcli_url: "https://github.com/1and1/dim/releases/download/ndcli-4.0.3/python3-ndcli-4.0.3-1.el8.x86_64.rpm" +dim_web_url: "https://github.com/1and1/dim/releases/download/dim-web-0.1/python3-dim-web-0.1-1.el8.x86_64.rpm" + +dim_repo: "https://github.com/1and1/dim" +dim_repo_dest: "/usr/local/src/dim" + +# Httpd +httpd_conf_path: "/etc/httpd/conf.d" + +# wsgi +wsgi_path: "/opt/dim" diff --git a/ansible-deployment/roles/dim/.travis.yml b/ansible-deployment/roles/dim/.travis.yml new file mode 100644 index 00000000..36bbf620 --- /dev/null +++ b/ansible-deployment/roles/dim/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/ansible-deployment/roles/dim/defaults/main.yml b/ansible-deployment/roles/dim/defaults/main.yml new file mode 100644 index 00000000..bf7a40fc --- /dev/null +++ b/ansible-deployment/roles/dim/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for dim \ No newline at end of file diff --git a/ansible-deployment/roles/dim/files/dim.wsgi b/ansible-deployment/roles/dim/files/dim.wsgi new file mode 100644 index 00000000..aecc0e0c --- /dev/null +++ b/ansible-deployment/roles/dim/files/dim.wsgi @@ -0,0 +1,2 @@ +from dim import create_app +application = create_app() diff --git a/ansible-deployment/roles/dim/files/ifcfg-lo-bind-int b/ansible-deployment/roles/dim/files/ifcfg-lo-bind-int new file mode 100644 index 00000000..1574762a --- /dev/null +++ b/ansible-deployment/roles/dim/files/ifcfg-lo-bind-int @@ -0,0 +1,8 @@ +DEVICE=lo +IPADDR=127.4.0.1 +NETMASK=255.0.0.0 +NETWORK=127.0.0.0 +BROADCAST=127.255.255.255 +ONBOOT=yes +NAME=loopback4 +NM_CONTROLLED=no diff --git a/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-int b/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-int new file mode 100644 index 00000000..402b8d62 --- /dev/null +++ b/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-int @@ -0,0 +1,8 @@ +DEVICE=lo +IPADDR=127.1.0.1 +NETMASK=255.0.0.0 +NETWORK=127.0.0.0 +BROADCAST=127.255.255.255 +ONBOOT=yes +NAME=loopback1 +NM_CONTROLLED=no diff --git a/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-pub b/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-pub new file mode 100644 index 00000000..fbbb23af --- /dev/null +++ b/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-pub @@ -0,0 +1,8 @@ +DEVICE=lo +IPADDR=127.2.0.1 +NETMASK=255.0.0.0 +NETWORK=127.0.0.0 +BROADCAST=127.255.255.255 +ONBOOT=yes +NAME=loopback2 +NM_CONTROLLED=no diff --git a/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-rec-int b/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-rec-int new file mode 100644 index 00000000..978041e4 --- /dev/null +++ b/ansible-deployment/roles/dim/files/ifcfg-lo-pdns-rec-int @@ -0,0 +1,8 @@ +DEVICE=lo +IPADDR=127.3.0.1 +NETMASK=255.0.0.0 +NETWORK=127.0.0.0 +BROADCAST=127.255.255.255 +ONBOOT=yes +NAME=loopback3 +NM_CONTROLLED=no diff --git a/ansible-deployment/roles/dim/files/my.cnf b/ansible-deployment/roles/dim/files/my.cnf new file mode 100644 index 00000000..ae341b29 --- /dev/null +++ b/ansible-deployment/roles/dim/files/my.cnf @@ -0,0 +1,5 @@ +[client] +user=root +password= + + diff --git a/ansible-deployment/roles/dim/files/query.sh b/ansible-deployment/roles/dim/files/query.sh new file mode 100644 index 00000000..16e1c91d --- /dev/null +++ b/ansible-deployment/roles/dim/files/query.sh @@ -0,0 +1,11 @@ +#!/bin/bash + +# This script set empty password for user root to allow to connect to the database anonymously +# Tested on Rocky linux 9 + +sudo mysql -uroot -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('');" +sudo mysql -uroot -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '';" +sudo mysql -uroot -e "FLUSH PRIVILEGES;" +sudo mysql -uroot -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '';" +sudo mysql -uroot -e "FLUSH PRIVILEGES;" +sudo mysql -uroot -e "SET PASSWORD FOR 'root'@'localhost' = PASSWORD('');" diff --git a/ansible-deployment/roles/dim/handlers/main.yml b/ansible-deployment/roles/dim/handlers/main.yml new file mode 100644 index 00000000..4d4d3d79 --- /dev/null +++ b/ansible-deployment/roles/dim/handlers/main.yml @@ -0,0 +1,10 @@ +--- +# handlers file for dim +- name: Restart mariadb + systemd: + name: mariadb + state: restarted + +- name: Reload systemctl daemon + systemd: + daemon_reload: yes \ No newline at end of file diff --git a/ansible-deployment/roles/dim/meta/main.yml b/ansible-deployment/roles/dim/meta/main.yml new file mode 100644 index 00000000..227ad9c3 --- /dev/null +++ b/ansible-deployment/roles/dim/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.9 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + \ No newline at end of file diff --git a/ansible-deployment/roles/dim/tasks/basic.yml b/ansible-deployment/roles/dim/tasks/basic.yml new file mode 100644 index 00000000..1958f701 --- /dev/null +++ b/ansible-deployment/roles/dim/tasks/basic.yml @@ -0,0 +1,58 @@ +- name: Disable SELinux policy permanently + ansible.posix.selinux: + policy: targeted + state: disabled + +- name: Disable SELinux policy + shell: + cmd: setenforce 0 + ignore_errors: true + +- name: Gather firewalld is installed + package_facts: + manager: auto + +- name: Stop and disable firewalld + systemd: + name: firewalld + state: stopped + enabled: false + when: "'firewalld' in ansible_facts.packages" + +- name: Enable epel-release + dnf: + name: epel-release + state: present + +- name: Install necessary packages + dnf: + name: + - wget + - htop + - bind-utils + - vim + - nload + - bc + - chkconfig + - initscripts + - python3-pip + - network-scripts + state: present + update_cache: true + +- name: Install python packages with pip + pip: + name: PyMySQL + + +#### Uncomment it for Rocky linux 9 +# - name: Download network-scripts package +# get_url: +# url: "{{ network_scripts_url }}" +# dest: "{{ network_scripts_dest }}" + +# - name: Install network-scripts package +# dnf: +# name: "{{ network_scripts_dest }}/{{ network_scripts_package }}" +# state: present + diff --git a/ansible-deployment/roles/dim/tasks/dim.yml b/ansible-deployment/roles/dim/tasks/dim.yml new file mode 100644 index 00000000..d72b6674 --- /dev/null +++ b/ansible-deployment/roles/dim/tasks/dim.yml @@ -0,0 +1,131 @@ +- name: Install necessary packages + dnf: + name: + - git + - java-1.8.0-openjdk-devel + - python3-mod_wsgi + - mod_ssl + - bash-completion + state: present + update_cache: true + +- name: Create necessary directories + file: + path: "{{ item }}" + state: directory + loop: + - "{{ dim_config_path }}" + - "{{ din_example_path }}" + +- name: Install DIM and related packages + dnf: + name: "{{ item }}" + state: present + loop: + - "{{ dim_url }}" + - "{{ dimclient_url }}" + - "{{ ndcli_url }}" + - "{{ dim_web_url }}" + +- name: Clone the dim repository + git: + repo: "{{ dim_repo }}" + dest: "{{ dim_repo_dest }}" + clone: yes + update: yes + +- name: copy dim build script + template: + src: build.sh.j2 + dest: "{{ dim_repo_dest }}/build.sh" + owner: root + group: root + mode: 0755 + +- name: Runnig build.sh script, it make more time to build (10-15 minutes) + debug: + msg: "Let's go and drink coffee, you are tired :)) " + +- name: Execute build.sh script + shell: + cmd: bash "{{ dim_repo_dest }}/build.sh" + +- name: Find JAR file in {{ wsgi_path }} + find: + paths: "{{ wsgi_path }}" + patterns: "*.jar" + register: jar_file + +- name: Print the jar file name + debug: + msg: "The JAR file found is {{ jar_file.files[0].path }}" + when: jar_file.matched > 0 + +- name: Create pdns-output systemd unit file + template: + src: pdns-output.service.j2 + dest: /etc/systemd/system/pdns-output.service + owner: root + group: root + notify: Reload systemctl daemon + +- name: Copy dim.cfg config file + template: + src: dim.cfg.j2 + dest: "{{ dim_config_path }}/dim.cfg" + owner: root + group: root + +- name: Clear contents of {{ httpd_conf_path }}/welcome.conf + copy: + dest: "{{httpd_conf_path}}/welcome.conf" + content: "" + owner: root + group: root + +- name: Copy dim.wsgi config + copy: + src: dim.wsgi + dest: "{{ wsgi_path }}/dim.wsgi" + owner: root + group: root + +- name: Setup wsgi.conf for dim.{{ domain_name }} + template: + src: wsgi.conf.j2 + dest: "{{ httpd_conf_path }}/dim.{{ domain_name }}.conf" + owner: root + group: root + +- name: Start and enable httpd service + systemd: + name: httpd + state: restarted + enabled: true + +- name: Create table in databases + shell: + cmd: /opt/dim/bin/manage_db init + ignore_errors: true + +- name: Create .ndclirc configuration file in {{ ansible_user }} home directory + copy: + dest: "/home/{{ ansible_user }}/.ndclirc" # Adjust the path as needed based on your user environment + content: | + server=http://localhost/dim + username=user + owner: "{{ ansible_user }}" + group: "{{ ansible_user }}" + mode: '0644' + +- name: Copy pdns-output config + template: + src: pdns-output.properties.j2 + dest: "{{ dim_config_path }}/pdns-output.properties" + +- name: Start and enable pdns-output service + systemd: + name: pdns-output + state: restarted + enabled: true + notify: Reload systemctl daemon diff --git a/ansible-deployment/roles/dim/tasks/main.yml b/ansible-deployment/roles/dim/tasks/main.yml new file mode 100644 index 00000000..4140c94f --- /dev/null +++ b/ansible-deployment/roles/dim/tasks/main.yml @@ -0,0 +1,17 @@ +--- +# tasks file for dim + +- name: Basic setup + include_tasks: basic.yml + +- name: Configure network + include_tasks: network.yml + +- name: Configure mariadb + include_tasks: mariadb.yml + +- name: Configure PowerDNS + include_tasks: powerdns.yml + +- name: Setup DIM + include_tasks: dim.yml diff --git a/ansible-deployment/roles/dim/tasks/mariadb.yml b/ansible-deployment/roles/dim/tasks/mariadb.yml new file mode 100644 index 00000000..cffd7d6c --- /dev/null +++ b/ansible-deployment/roles/dim/tasks/mariadb.yml @@ -0,0 +1,98 @@ +- name: Install database packages + dnf: + name: + - mariadb-server + state: present + update_cache: true + +- name: Start and enable mariadb + systemd: + name: mariadb + state: started + enabled: true + +- name: Copy query.sh to /root + copy: + src: query.sh + dest: /root/query.sh + owner: root + group: root + mode: 0755 + +- name: Execute query.sh + shell: + cmd: bash /root/query.sh + +- name: Copy mariadb config + copy: + src: my.cnf + dest: /root/.my.cnf + owner: root + group: root + mode: 0600 + notify: Restart mariadb + +- name: Create mariadb database + community.mysql.mysql_db: + name: + - "{{ dim_db_name }}" + - "{{ pdns_int_db_name }}" + - "{{ pdns_pub_db_name }}" + state: present + +- name: Ensure dim_user has the specified privileges + community.mysql.mysql_user: + name: "{{ dim_db_user_name}}" + password: "{{ dim_db_user_password }}" + host: "localhost" + priv: "{{ dim_db_priv }}" + state: present + +- name: Grant INSERT, UPDATE, DELETE, SELECT on pdns_int.* to user + community.mysql.mysql_user: + name: "{{ dim_pdns_int_db_user_name}}" + password: "{{ dim_pdns_int_db_user_password }}" + host: "localhost" + priv: "{{ dim_pdns_int_db_priv }}" + state: present + +- name: Grant INSERT, UPDATE, DELETE, SELECT on pdns_pub.* to user + community.mysql.mysql_user: + name: "{{ dim_pdns_pub_db_user_name}}" + password: "{{ dim_pdns_pub_db_user_password }}" + host: "localhost" + priv: "{{ dim_pdns_pub_db_priv }}" + state: present + +- name: Grant SELECT on pdns_pub.* to user + community.mysql.mysql_user: + name: "{{ pdns_pub_db_user_name}}" + password: "{{ pdns_pub_db_user_password }}" + host: "localhost" + priv: "{{ pdns_pub_db_priv }}" + state: present + +- name: Grant SELECT on pdns_int.* to user + community.mysql.mysql_user: + name: "{{ pdns_int_db_user_name}}" + password: "{{ pdns_int_db_user_password }}" + host: "localhost" + priv: "{{ pdns_int_db_priv }}" + state: present + +- name: Download SQL script + get_url: + url: "{{ sql_url }}" + dest: "{{ sql_file_path }}" + +- name: Execute SQL script on pdns_int database + community.mysql.mysql_db: + name: "{{ pdns_int_db_name }}" + state: import + target: "{{ sql_file_path }}" + +- name: Execute SQL script on pdns_pub database + community.mysql.mysql_db: + name: "{{ pdns_pub_db_name }}" + state: import + target: "{{ sql_file_path }}" diff --git a/ansible-deployment/roles/dim/tasks/network.yml b/ansible-deployment/roles/dim/tasks/network.yml new file mode 100644 index 00000000..4c6540ce --- /dev/null +++ b/ansible-deployment/roles/dim/tasks/network.yml @@ -0,0 +1,33 @@ +- name: Enable network service + systemd: + name: network + enabled: true + +- name: Copy ifcfg-lo-pdns-int to {{ network_path }} + copy: + src: ifcfg-lo-pdns-int + dest: "{{ network_path }}/ifcfg-lo-pdns-int" + owner: root + group: root + +- name: Copy ifcfg-lo-pdns-pub to {{ network_path }} + copy: + src: ifcfg-lo-pdns-pub + dest: "{{ network_path }}/ifcfg-lo-pdns-pub" + owner: root + group: root + +- name: Copy ifcfg-lo-pdns-rec-int to {{ network_path }} + copy: + src: ifcfg-lo-pdns-rec-int + dest: "{{ network_path }}/ifcfg-lo-pdns-rec-int" + owner: root + group: root + +- name: Copy ifcfg-lo-bind-int to {{ network_path }} + copy: + src: ifcfg-lo-bind-int + dest: "{{ network_path }}/ifcfg-lo-bind-int" + owner: root + group: root + diff --git a/ansible-deployment/roles/dim/tasks/powerdns.yml b/ansible-deployment/roles/dim/tasks/powerdns.yml new file mode 100644 index 00000000..2d546bcb --- /dev/null +++ b/ansible-deployment/roles/dim/tasks/powerdns.yml @@ -0,0 +1,78 @@ +- name: Install PowerDNS packages + dnf: + name: + - pdns-backend-mysql + - pdns-tools + - pdns-recursor + state: present + update_cache: true + +- name: Delete PowerDNS config file + file: + path: "{{ pdns_conf_dir }}/pdns.conf" + state: absent + +- name: Create int directory + file: + path: "{{ pdns_conf_dir }}/int" + state: directory + +- name: Create pub directory + file: + path: "{{ pdns_conf_dir }}/pub" + state: directory + +- name: Copy pdns internal config + template: + src: pdns-int.conf.j2 + dest: "{{ pdns_conf_dir }}/pdns-int.conf" + +- name: Copy pdns public config + template: + src: pdns-pub.conf.j2 + dest: "{{ pdns_conf_dir }}/pdns-pub.conf" + +- name: Start and enabled pdns internal service + systemd: + name: pdns@int + state: started + enabled: true + +- name: Start and enabled pdns public service + systemd: + name: pdns@pub + state: started + enabled: true + +- name: Delete PowerDNS recursor config file + file: + path: "{{ pdns_recursor_conf_path }}/recursor.conf" + state: absent + +- name: Create PowerDNS recursor directory + file: + path: "{{ pdns_recursor_conf_path }}/int" + state: directory + +- name: Copy recursor-int config file + template: + src: recursor-int.conf.j2 + dest: "{{ pdns_recursor_conf_path }}/recursor-int.conf" + +- name: Copy forward.zones file + template: + src: forward.zones.j2 + dest: "{{ pdns_recursor_conf_path }}/int/forward.zones" + +- name: Copy nta.lua + template: + src: nta.lua.j2 + dest: "{{ pdns_recursor_conf_path }}/int/nta.lua" + +- name: Start and enabled pdns recursor service + systemd: + name: pdns-recursor@int + state: started + enabled: true + + diff --git a/ansible-deployment/roles/dim/templates/build.sh.j2 b/ansible-deployment/roles/dim/templates/build.sh.j2 new file mode 100644 index 00000000..701593be --- /dev/null +++ b/ansible-deployment/roles/dim/templates/build.sh.j2 @@ -0,0 +1,12 @@ +#!/bin/bash + +cd {{ dim_repo_dest }} +cd .. + +cd dim/pdns-output +cd jdnssec-dnsjava && ../../gradlew build -x test && ../../gradlew publishToMavenLocal; cd .. +cd jdnssec-tools && ../../gradlew build -x test && ../../gradlew publishToMavenLocal; cd .. +cd gmp-rsa && ../../gradlew build -x test && ../../gradlew publishToMavenLocal; cd .. +cd pdns-output && ../../gradlew shadowJar -x test; cd .. +cp pdns-output/build/libs/pdns-output-4.0.0-all.jar /opt/dim +cd .. diff --git a/ansible-deployment/roles/dim/templates/dim.cfg.j2 b/ansible-deployment/roles/dim/templates/dim.cfg.j2 new file mode 100644 index 00000000..d71bad76 --- /dev/null +++ b/ansible-deployment/roles/dim/templates/dim.cfg.j2 @@ -0,0 +1,42 @@ +DB_USERNAME = '{{ dim_db_user_name }}' +DB_PASSWORD = '{{ dim_db_user_password }}' +DB_HOST = 'localhost' +SQLALCHEMY_DATABASE_URI = 'mysql://%s:%s@%s/dim' % (DB_USERNAME, DB_PASSWORD, DB_HOST) +DB_LOCK_TIMEOUT = 120 +SECRET_KEY = '{{ dim_secret_key }}' + +### Authentication +# 'ldap' or None +AUTHENTICATION_METHOD = None + +LDAP_SERVER = "ldap://testldap" +LDAP_USER_DN = "uid=%s" +LDAP_SEARCH_BASE = "" + +# Used by manage_dim ldap_sync +LDAP_USER_BASE = "" +LDAP_DEPARTMENT_BASE = "" + +# Set SECRET_KEY to a random string +# The security of this application is compromised if SECRET_KEY is leaked +SECRET_KEY = 'testkey' + +PERMANENT_SESSION_LIFETIME = 5 * 24 * 3600 # 5 days +TEMPORARY_SESSION_LIFETIME = 24 * 3600 # 1 day + +### Logging +import logging, logging.handlers, sys + +LOGGING_LEVEL = logging.DEBUG +LOGGING_HANDLER = logging.StreamHandler(sys.stderr) + +### DNS +DNS_DEFAULT_REFRESH = 14400 # 4 hours +DNS_DEFAULT_RETRY = 3600 # 1 hour +DNS_DEFAULT_EXPIRE = 605000 # 7 days +DNS_DEFAULT_MINIMUM = 60 # 1 minute +DNS_DEFAULT_ZONE_TTL = 86400 # 1 day (Default. TTL) + +# list of ipspaces which are allowed to exist multiple times in dim (layer3domains) +# in general only rfc1918 ip should be allowed +LAYER3DOMAIN_WHITELIST = ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16', '100.64.0.0/10'] diff --git a/ansible-deployment/roles/dim/templates/forward.zones.j2 b/ansible-deployment/roles/dim/templates/forward.zones.j2 new file mode 100644 index 00000000..6c4b7f46 --- /dev/null +++ b/ansible-deployment/roles/dim/templates/forward.zones.j2 @@ -0,0 +1,2 @@ ++{{ domain_name }}=127.1.0.1 ++internal.local=127.1.0.1 diff --git a/ansible-deployment/roles/dim/templates/nta.lua.j2 b/ansible-deployment/roles/dim/templates/nta.lua.j2 new file mode 100644 index 00000000..bfa131a2 --- /dev/null +++ b/ansible-deployment/roles/dim/templates/nta.lua.j2 @@ -0,0 +1,2 @@ +addNTA('internal.local') +addNTA('{{ domain_name }}') diff --git a/ansible-deployment/roles/dim/templates/pdns-int.conf.j2 b/ansible-deployment/roles/dim/templates/pdns-int.conf.j2 new file mode 100644 index 00000000..ddcbb8a5 --- /dev/null +++ b/ansible-deployment/roles/dim/templates/pdns-int.conf.j2 @@ -0,0 +1,37 @@ +setgid=pdns +setuid=pdns +version-string=powerdns +local-port=53 +guardian=no +daemon=no +slave=no +master=no +expand-alias=yes +resolver=127.3.0.1 +8bit-dns=yes +max-tcp-connections=300 +local-address=127.1.0.1 +disable-axfr=no +allow-axfr-ips=127.0.0.0/8,::1 +cache-ttl=10 +query-cache-ttl=20 +negquery-cache-ttl=60 +queue-limit=200 +max-cache-entries=2000 +max-queue-length=1000 +udp-truncation-threshold=1220 +webserver=no +tcp-control-port= +log-timestamp=no +logging-facility=6 +loglevel=3 +query-logging=no +log-dns-details=no + +# backend +launch=gmysql +gmysql-dnssec +gmysql-socket=/var/lib/mysql/mysql.sock +gmysql-dbname={{ pdns_int_db_name }} +gmysql-user={{ pdns_int_db_user_name }} +gmysql-password={{ pdns_int_db_user_password }} diff --git a/ansible-deployment/roles/dim/templates/pdns-output.properties.j2 b/ansible-deployment/roles/dim/templates/pdns-output.properties.j2 new file mode 100644 index 00000000..bd8c7230 --- /dev/null +++ b/ansible-deployment/roles/dim/templates/pdns-output.properties.j2 @@ -0,0 +1,24 @@ +# dim database connection parameters +db.serverName=127.0.0.1 +db.portNumber=3306 +db.databaseName=dim +db.user={{ dim_db_user_name }} +db.password={{ dim_db_user_password }} + +# Timeout in seconds for getting the pdns_poller lock which prevents multiple pdns-output instances from running +lockTimeout=120 + +# Delay in seconds used when polling the dim outputupdate table +pollDelay=1 + +# Delay in seconds before retrying a failed update +retryInterval=60 + +# Debug option to print to stdout transaction ids after processing them +printTxn=false + +# Max size of a sql query in bytes +# should be less than the configured max_allowed_packet in mysql +maxQuerySize=4000000 + +useNativeCrypto=true diff --git a/ansible-deployment/roles/dim/templates/pdns-output.service.j2 b/ansible-deployment/roles/dim/templates/pdns-output.service.j2 new file mode 100644 index 00000000..3f7c842a --- /dev/null +++ b/ansible-deployment/roles/dim/templates/pdns-output.service.j2 @@ -0,0 +1,20 @@ +[Unit] +Description=DIM to PowerDNS DB +After=network.target mysql.target + +[Service] +Type=simple +ExecStart=/bin/java -jar {{ jar_file.files[0].path }} +Restart=on-failure +StartLimitInterval=0 +PrivateTmp=true +PrivateDevices=true +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT +NoNewPrivileges=true +ProtectSystem=full +ProtectHome=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +LimitNOFILE=40000 + +[Install] +WantedBy=multi-user.target diff --git a/ansible-deployment/roles/dim/templates/pdns-pub.conf.j2 b/ansible-deployment/roles/dim/templates/pdns-pub.conf.j2 new file mode 100644 index 00000000..1788a7f6 --- /dev/null +++ b/ansible-deployment/roles/dim/templates/pdns-pub.conf.j2 @@ -0,0 +1,37 @@ +setgid=pdns +setuid=pdns +version-string=powerdns +local-port=53 +guardian=no +daemon=no +slave=no +master=no +expand-alias=yes +resolver=127.3.0.1 +8bit-dns=yes +max-tcp-connections=300 +disable-axfr=no +allow-axfr-ips=127.0.0.0/8,::1 +cache-ttl=10 +query-cache-ttl=20 +negquery-cache-ttl=60 +queue-limit=200 +max-cache-entries=2000 +max-queue-length=1000 +udp-truncation-threshold=1220 +webserver=no +tcp-control-port= +log-timestamp=no +logging-facility=6 +loglevel=3 +query-logging=no +log-dns-details=no +local-address=127.2.0.1 + +# backend +launch=gmysql +gmysql-dnssec +gmysql-socket=/var/lib/mysql/mysql.sock +gmysql-dbname={{ pdns_pub_db_name }} +gmysql-user={{ pdns_pub_db_user_name }} +gmysql-password={{ pdns_pub_db_user_password }} diff --git a/ansible-deployment/roles/dim/templates/recursor-int.conf.j2 b/ansible-deployment/roles/dim/templates/recursor-int.conf.j2 new file mode 100644 index 00000000..3301653e --- /dev/null +++ b/ansible-deployment/roles/dim/templates/recursor-int.conf.j2 @@ -0,0 +1,49 @@ +allow-from=0.0.0.0/0, ::/0 +any-to-tcp=yes +client-tcp-timeout=5 +disable-packetcache=no +dnssec=process +dont-query=127.0.0.0/8,100.64.0.0/10,169.254.0.0/16,192.0.0.0/24,192.0.2.0/24,198.51.100.0/24,203.0.113.0/24,240.0.0.0/4,::1/128,::ffff:0:0/96,100::/64,2001:db8::/32 +entropy-source=/dev/urandom +export-etc-hosts=no +forward-zones-file={{ pdns_recursor_conf_path }}/int/forward.zones +latency-statistic-size=10000 +local-address=127.3.0.1 +local-port=53 +logging-facility=6 +loglevel=4 +lua-config-file={{ pdns_recursor_conf_path }}/int/nta.lua +log-common-errors=no +max-cache-entries=8000 +max-cache-ttl=86400 +max-mthreads=2048 +max-negative-ttl=600 +max-packetcache-entries=8000 +max-qperq=50 +max-tcp-clients=300 +max-tcp-per-client=0 +max-total-msec=7000 +minimum-ttl-override=0 +network-timeout=1970 +no-shuffle=off +packetcache-ttl=120 +packetcache-servfail-ttl=15 +pdns-distributes-queries=no +processes=1 +query-local-address=0.0.0.0 :: +quiet=on +root-nx-trust=on +serve-rfc1918=on +server-down-max-fails=64 +server-down-throttle-time=60 +server-id=dim-rec-int +setgid=pdns-recursor +setuid=pdns-recursor +single-socket=off +spoof-nearmiss-max=20 +stack-size=200000 +stats-ringbuffer-entries=200000 +trace=off +udp-truncation-threshold=1220 +edns-outgoing-bufsize=1220 +version-string=PowerDNS-Recursor diff --git a/ansible-deployment/roles/dim/templates/wsgi.conf.j2 b/ansible-deployment/roles/dim/templates/wsgi.conf.j2 new file mode 100644 index 00000000..a817c90c --- /dev/null +++ b/ansible-deployment/roles/dim/templates/wsgi.conf.j2 @@ -0,0 +1,34 @@ + + ServerName dim.{{ domain_name }} + ServerAlias localhost + ServerAdmin dim@{{ domain_name }} + ErrorLog /var/log/httpd/error_log_dim.{{ domain_name }} + CustomLog /var/log/httpd/access_log_dim.{{ domain_name }} combined + LogLevel error + DocumentRoot /srv/http/dim.{{ domain_name }} + WSGIDaemonProcess dim python-home=/opt/dim + WSGIScriptAlias /dim /opt/dim/dim.wsgi + WSGIDaemonProcess cas + WSGIScriptAlias /cas /usr/share/dim-web/cas.wsgi + + RewriteEngine on + RewriteCond %{REQUEST_FILENAME} -f [OR] + RewriteCond %{REQUEST_FILENAME} -d + RewriteRule ^ - [L] + RewriteRule ^ index.html [L] + Require all granted + + + Require all granted + + Alias /dim/doc /opt/dim/doc + Alias /netdot/doc /opt/dim/doc + + WSGIProcessGroup cas + Require all granted + + + WSGIProcessGroup dim + Require all granted + + diff --git a/ansible-deployment/roles/dim/tests/inventory b/ansible-deployment/roles/dim/tests/inventory new file mode 100644 index 00000000..878877b0 --- /dev/null +++ b/ansible-deployment/roles/dim/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/ansible-deployment/roles/dim/tests/test.yml b/ansible-deployment/roles/dim/tests/test.yml new file mode 100644 index 00000000..dec95a29 --- /dev/null +++ b/ansible-deployment/roles/dim/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - dim \ No newline at end of file diff --git a/ansible-deployment/roles/dim/vars/main.yml b/ansible-deployment/roles/dim/vars/main.yml new file mode 100644 index 00000000..e4ec244d --- /dev/null +++ b/ansible-deployment/roles/dim/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for dim \ No newline at end of file