Add role that allows access to powerdns api for certian ips via reverse proxy (#24)
* Add role that allows access to powerdns api for certian ips via reverse proxy * Remove unneeded variables, remove systemd handlers. * Allow a list of access ips. Make this mandatory.
This commit is contained in:
parent
8863e21995
commit
417b60a0ac
7 changed files with 79 additions and 0 deletions
|
@ -6,6 +6,8 @@ magic: 71
|
||||||
nodejs_major_version: "10"
|
nodejs_major_version: "10"
|
||||||
|
|
||||||
http_dns_prefix: "dns-ext"
|
http_dns_prefix: "dns-ext"
|
||||||
|
pdns_limit_api_access:
|
||||||
|
- 94.130.21.214
|
||||||
|
|
||||||
mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}"
|
mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}"
|
||||||
mysql_databases:
|
mysql_databases:
|
||||||
|
|
|
@ -21,3 +21,4 @@
|
||||||
- geerlingguy.mysql
|
- geerlingguy.mysql
|
||||||
- powerdns.pdns
|
- powerdns.pdns
|
||||||
- pdns-admin
|
- pdns-admin
|
||||||
|
- pdns-api
|
||||||
|
|
20
roles/pdns-api/README.md
Normal file
20
roles/pdns-api/README.md
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
|
||||||
|
# Ansible Role: Allow Powerdns api access
|
||||||
|
|
||||||
|
Adds reverse Proxy directive to allow api access to powerdns. Allows limit accessing IP.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
none
|
||||||
|
|
||||||
|
## Role Variables
|
||||||
|
Mandatory (If not defined access will be disallowed for everyone)
|
||||||
|
|
||||||
|
- pdns_limit_api_access:
|
||||||
|
- x.x.x.x
|
||||||
|
- y.y.y.y
|
||||||
|
|
||||||
|
## Dependencies
|
||||||
|
|
||||||
|
- powerdns.pns
|
||||||
|
- service-nginx
|
5
roles/pdns-api/handlers/main.yml
Normal file
5
roles/pdns-api/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: Reload nginx
|
||||||
|
systemd:
|
||||||
|
name: "nginx"
|
||||||
|
state: "reloaded"
|
4
roles/pdns-api/meta/main.yml
Normal file
4
roles/pdns-api/meta/main.yml
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
dependencies:
|
||||||
|
- service-nginx
|
||||||
|
- powerdns.pdns
|
9
roles/pdns-api/tasks/main.yml
Normal file
9
roles/pdns-api/tasks/main.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
- name: Template nginx configuration.
|
||||||
|
template:
|
||||||
|
src: "pdns_api.conf.j2"
|
||||||
|
dest: "/etc/nginx/conf.d/pdns_api.conf"
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0644"
|
||||||
|
notify: Reload nginx
|
38
roles/pdns-api/templates/pdns_api.conf.j2
Normal file
38
roles/pdns-api/templates/pdns_api.conf.j2
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
|
||||||
|
index index.html index.htm;
|
||||||
|
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
# allow defined addresses to access
|
||||||
|
{% for host in pdns_limit_api_access %}
|
||||||
|
allow {{ host }};
|
||||||
|
{% endfor %}
|
||||||
|
# drop rest of the world
|
||||||
|
deny all;
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
|
||||||
|
proxy_pass http://127.0.0.1:8081;
|
||||||
|
proxy_read_timeout 90;
|
||||||
|
|
||||||
|
proxy_redirect http://127.0.0.1:8081 https://{{ http_dns_prefix }}-api.{{ http_domain_external }};
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
Loading…
Reference in a new issue