Add role that allows access to powerdns api for certian ips via reverse proxy (#24)

* Add role that allows access to powerdns api for certian ips via reverse proxy

* Remove unneeded variables, remove systemd handlers.

* Allow a list of access ips. Make this mandatory.
This commit is contained in:
prisma01 2019-08-31 22:24:44 +02:00 committed by GitHub
parent 8863e21995
commit 417b60a0ac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 79 additions and 0 deletions

View file

@ -6,6 +6,8 @@ magic: 71
nodejs_major_version: "10" nodejs_major_version: "10"
http_dns_prefix: "dns-ext" http_dns_prefix: "dns-ext"
pdns_limit_api_access:
- 94.130.21.214
mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}" mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=secret') }}"
mysql_databases: mysql_databases:

View file

@ -21,3 +21,4 @@
- geerlingguy.mysql - geerlingguy.mysql
- powerdns.pdns - powerdns.pdns
- pdns-admin - pdns-admin
- pdns-api

20
roles/pdns-api/README.md Normal file
View file

@ -0,0 +1,20 @@
# Ansible Role: Allow Powerdns api access
Adds reverse Proxy directive to allow api access to powerdns. Allows limit accessing IP.
## Requirements
none
## Role Variables
Mandatory (If not defined access will be disallowed for everyone)
- pdns_limit_api_access:
- x.x.x.x
- y.y.y.y
## Dependencies
- powerdns.pns
- service-nginx

View file

@ -0,0 +1,5 @@
---
- name: Reload nginx
systemd:
name: "nginx"
state: "reloaded"

View file

@ -0,0 +1,4 @@
---
dependencies:
- service-nginx
- powerdns.pdns

View file

@ -0,0 +1,9 @@
---
- name: Template nginx configuration.
template:
src: "pdns_api.conf.j2"
dest: "/etc/nginx/conf.d/pdns_api.conf"
owner: "root"
group: "root"
mode: "0644"
notify: Reload nginx

View file

@ -0,0 +1,38 @@
server {
listen 80;
listen [::]:80;
server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
return 301 https://$http_host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
index index.html index.htm;
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
ssl_prefer_server_ciphers on;
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
location / {
# allow defined addresses to access
{% for host in pdns_limit_api_access %}
allow {{ host }};
{% endfor %}
# drop rest of the world
deny all;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8081;
proxy_read_timeout 90;
proxy_redirect http://127.0.0.1:8081 https://{{ http_dns_prefix }}-api.{{ http_domain_external }};
}
}