From 417b60a0ace5f0c38b961cd718714b883799c236 Mon Sep 17 00:00:00 2001 From: prisma01 Date: Sat, 31 Aug 2019 22:24:44 +0200 Subject: [PATCH] Add role that allows access to powerdns api for certian ips via reverse proxy (#24) * Add role that allows access to powerdns api for certian ips via reverse proxy * Remove unneeded variables, remove systemd handlers. * Allow a list of access ips. Make this mandatory. --- inventory/host_vars/linse.freifunk-mwu.de | 2 ++ playbooks/dns.yml | 1 + roles/pdns-api/README.md | 20 ++++++++++++ roles/pdns-api/handlers/main.yml | 5 +++ roles/pdns-api/meta/main.yml | 4 +++ roles/pdns-api/tasks/main.yml | 9 ++++++ roles/pdns-api/templates/pdns_api.conf.j2 | 38 +++++++++++++++++++++++ 7 files changed, 79 insertions(+) create mode 100644 roles/pdns-api/README.md create mode 100644 roles/pdns-api/handlers/main.yml create mode 100644 roles/pdns-api/meta/main.yml create mode 100644 roles/pdns-api/tasks/main.yml create mode 100644 roles/pdns-api/templates/pdns_api.conf.j2 diff --git a/inventory/host_vars/linse.freifunk-mwu.de b/inventory/host_vars/linse.freifunk-mwu.de index de9ffdc..296fb44 100644 --- a/inventory/host_vars/linse.freifunk-mwu.de +++ b/inventory/host_vars/linse.freifunk-mwu.de @@ -6,6 +6,8 @@ magic: 71 nodejs_major_version: "10" http_dns_prefix: "dns-ext" +pdns_limit_api_access: + - 94.130.21.214 mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}" mysql_databases: diff --git a/playbooks/dns.yml b/playbooks/dns.yml index 15ad5d2..acb21fb 100755 --- a/playbooks/dns.yml +++ b/playbooks/dns.yml @@ -21,3 +21,4 @@ - geerlingguy.mysql - powerdns.pdns - pdns-admin + - pdns-api diff --git a/roles/pdns-api/README.md b/roles/pdns-api/README.md new file mode 100644 index 0000000..ba93184 --- /dev/null +++ b/roles/pdns-api/README.md @@ -0,0 +1,20 @@ + +# Ansible Role: Allow Powerdns api access + +Adds reverse Proxy directive to allow api access to powerdns. Allows limit accessing IP. + +## Requirements + +none + +## Role Variables +Mandatory (If not defined access will be disallowed for everyone) + +- pdns_limit_api_access: + - x.x.x.x + - y.y.y.y + +## Dependencies + +- powerdns.pns +- service-nginx diff --git a/roles/pdns-api/handlers/main.yml b/roles/pdns-api/handlers/main.yml new file mode 100644 index 0000000..767f539 --- /dev/null +++ b/roles/pdns-api/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nginx + systemd: + name: "nginx" + state: "reloaded" diff --git a/roles/pdns-api/meta/main.yml b/roles/pdns-api/meta/main.yml new file mode 100644 index 0000000..49875be --- /dev/null +++ b/roles/pdns-api/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - service-nginx + - powerdns.pdns diff --git a/roles/pdns-api/tasks/main.yml b/roles/pdns-api/tasks/main.yml new file mode 100644 index 0000000..48a58ae --- /dev/null +++ b/roles/pdns-api/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: Template nginx configuration. + template: + src: "pdns_api.conf.j2" + dest: "/etc/nginx/conf.d/pdns_api.conf" + owner: "root" + group: "root" + mode: "0644" + notify: Reload nginx diff --git a/roles/pdns-api/templates/pdns_api.conf.j2 b/roles/pdns-api/templates/pdns_api.conf.j2 new file mode 100644 index 0000000..57e717e --- /dev/null +++ b/roles/pdns-api/templates/pdns_api.conf.j2 @@ -0,0 +1,38 @@ +server { + listen 80; + listen [::]:80; + server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ; + return 301 https://$http_host$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ; + index index.html index.htm; + + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; + ssl_prefer_server_ciphers on; + include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; + + location / { + # allow defined addresses to access + {% for host in pdns_limit_api_access %} + allow {{ host }}; + {% endfor %} + # drop rest of the world + deny all; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://127.0.0.1:8081; + proxy_read_timeout 90; + + proxy_redirect http://127.0.0.1:8081 https://{{ http_dns_prefix }}-api.{{ http_domain_external }}; + } + +}