Add role that allows access to powerdns api for certian ips via reverse proxy (#24)

* Add role that allows access to powerdns api for certian ips via reverse proxy * Remove unneeded variables, remove systemd handlers. * Allow a list of access ips. Make this mandatory.
2019-08-31 22:24:44 +02:00 · 2019-08-31 22:24:44 +02:00 · 417b60a0ac
commit 417b60a0ac
parent 8863e21995
7 changed files with 79 additions and 0 deletions
--- a/inventory/host_vars/linse.freifunk-mwu.de
+++ b/inventory/host_vars/linse.freifunk-mwu.de
@ -6,6 +6,8 @@ magic: 71
 nodejs_major_version: "10"

 http_dns_prefix: "dns-ext"
+pdns_limit_api_access:
+  - 94.130.21.214

 mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}"
 mysql_databases:
--- a/playbooks/dns.yml
+++ b/playbooks/dns.yml
@ -21,3 +21,4 @@
  - geerlingguy.mysql
  - powerdns.pdns
  - pdns-admin
+  - pdns-api
--- a/roles/pdns-api/README.md
+++ b/roles/pdns-api/README.md
@ -0,0 +1,20 @@
+
+# Ansible Role: Allow Powerdns api access
+
+Adds reverse Proxy directive to allow api access to powerdns. Allows limit accessing IP.
+
+## Requirements
+
+none
+
+## Role Variables
+Mandatory (If not defined access will be disallowed for everyone)
+
+- pdns_limit_api_access:
+    - x.x.x.x
+    - y.y.y.y
+
+## Dependencies
+
+- powerdns.pns
+- service-nginx
--- a/roles/pdns-api/handlers/main.yml
+++ b/roles/pdns-api/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Reload nginx
+  systemd:
+    name: "nginx"
+    state: "reloaded"
--- a/roles/pdns-api/meta/main.yml
+++ b/roles/pdns-api/meta/main.yml
@ -0,0 +1,4 @@
+---
+dependencies:
+  - service-nginx
+  - powerdns.pdns
--- a/roles/pdns-api/tasks/main.yml
+++ b/roles/pdns-api/tasks/main.yml
@ -0,0 +1,9 @@
+---
+- name: Template nginx configuration.
+  template:
+    src: "pdns_api.conf.j2"
+    dest: "/etc/nginx/conf.d/pdns_api.conf"
+    owner: "root"
+    group: "root"
+    mode: "0644"
+  notify: Reload nginx
--- a/roles/pdns-api/templates/pdns_api.conf.j2
+++ b/roles/pdns-api/templates/pdns_api.conf.j2
@ -0,0 +1,38 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
+    return 301 https://$http_host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
+    index index.html index.htm;
+
+    ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+    ssl_prefer_server_ciphers       on;
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    location / {
+        # allow defined addresses to access
+        {% for host in pdns_limit_api_access %}
+        allow   {{ host }};
+        {% endfor %}
+        # drop rest of the world
+        deny    all;
+
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        proxy_pass          http://127.0.0.1:8081;
+        proxy_read_timeout  90;
+
+        proxy_redirect      http://127.0.0.1:8081 https://{{ http_dns_prefix }}-api.{{ http_domain_external }};
+    }
+
+}