added dns using hetzner dns, renamed pubnix => pub

Makefile

@@ -4,8 +4,9 @@
 VARS		= group_vars/all/vars.yaml
 VALL		= group_vars/all/all.yaml
 SECRET		= ~/.config/ansible/hcloud.secret
-KEYDIR		= roles/pubnix/files/keys
+KEYDIR		= roles/pub/files/keys
 TOKEN		= $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_cloud_token | cut -d' ' -f2)
+DNSTOKEN    = $(shell ansible-vault decrypt --output - $(VARS) | grep hetzner_dns_token | cut -d' ' -f2)
 SNAPNAME	= $(shell cat $(VALL) | yq .snapshot)
 
 SNAPSHOT    = $(shell hcloud image  list -t snapshot -o yaml | \
@@ -19,7 +20,7 @@ HOSTS_COMMAND = ansible-playbook knownhosts.yaml $(OPTIONS)
 DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
 SHOW_COMMAND = ansible-inventory -i inventory/hosts.hcloud.yaml --list
 
-ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
+ENV = HCLOUD_TOKEN="$(TOKEN)" HETZNER_DNS_TOKEN="$(DNSTOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
 
 all: create deploy
 

debug.yaml

@@ -1,9 +1,9 @@
 ---
-- name: DEBUGGING ROLES
+- name: Gather facts
   tags: active
   hosts: running
   gather_facts: true
   user: root
   roles:
     - role: network
-    - role: user
+    - role: dns

deploy.yaml

@@ -6,10 +6,10 @@
   user: root
   roles:
     - role: reachable
+    - role: dns
     - role: network
     - role: server
     - role: firewall
     - role: ssh
     - role: jails
-    - role: pubnix
-    - role: dns
+    - role: pub

group_vars/all/all.yaml

@@ -25,7 +25,7 @@ ssh_keys:
   - scip@pixel8
 
 jails:
-  pubnix:
+  pub:
     pkgs:
       - bash
       - zsh
@@ -76,10 +76,7 @@ storage:
     - mount: /var/cron/tabs
       name: /crontabs
 
-# runas user must be  able to get to server using ssh  w/ key auth and
-# be member of the group knot, the dns jail must be running.
 dns:
-  server: e3
   zone: bsdnix.de
   socket: /jail/run/dns/tmp/knot/knot.sock
 

group_vars/all/vars.yaml

@@ -1,12 +1,15 @@
 $ANSIBLE_VAULT;1.1;AES256
-30386430356466633261653236656333623835666363653766313864376439663739666539373466
-6133333563663839306331373863623064656330363234660a613235386230353233336134333665
-33323865646238363862663334343738326339623939663036643833356466633062656362653061
-3661626430303038360a303961356566663239656337333833323036343432656332386234623131
-34323538326435643534663239613438333037646261663462323661306536383435626133663562
-34326239363138656666353563396132303633373539646330303536346637346532616462393332
-64613233373331396364613466303535383964313836356365393735326136323832313731653936
-31633637643632323139303132336663626532623037343139363839626165323062303335363237
-31646234393337366330353261383465316632663232303464346566333738326164363935613933
-63393139663665343861363434396664383965613437383963343861333565356135656335383234
-656638656239636133646562383734323835
+36656334643662656164636264613965393166643630633436346635386332366630366461313438
+3863656566373333306466623361626431633030383061610a373533353766306137393832613134
+36346666616430376535343066313335393636363733323236363866373938346561356366336233
+3762346237636635610a363937306236623838346363643033353733623831316266313864313935
+38313162383839633433326135333836323133313537373034653434353639613637623438663330
+66396264666431383334636639363834613633336162353464366130333864396361646534623965
+66633566623861336430353162333336626631376162626464653139626565636230646638643836
+31356136626235656139336366363862313261653962666438303462353166613437663239366537
+38316636316261663062353836313639393537343437323639376463633563616435616264393532
+32333131613264363964613163303762626533623936333237326165356166363161666664646265
+65343564356661643933323634663639346634323564656366656235376234356537373237653235
+64393331343362613138666461653961646135386365623137306439343266333861653635653234
+64363934666433303165633764373431373030353238633165613630613538666363653361646432
+3833653436663838363539656235346166363430363233393965

inventory/vps.yaml

@@ -1,6 +1,6 @@
 ---
 vps:
   hosts:
-    shell:
-      hostname: shell.daemon.de
+    suto:
+      hostname: suto
 

roles/dns/tasks/main.yaml

@@ -1,8 +1,11 @@
 ---
-# FIXME: get rid of hard coded hostnames
-- name: add dns entry
-  shell: |
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-begin {{ dns.zone }}
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-set {{ dns.zone }} shell 300 AAAA {{ server_ipv6 }}
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-set {{ dns.zone }} pubnix 300 AAAA {{ jailip }}
-    ssh {{ dns.server }} knotc -s {{ dns.socket }} zone-commit {{ dns.zone }}
+- name: add dns entry for server
+  community.dns.hetzner_dns_record:
+    state: present
+    zone: "{{ dns.zone }}"
+    record: "{{ name }}.{{ dns.zone }}"
+    type: AAAA
+    ttl: 300
+    value: "{{ server_ipv6 }}"
+    hetzner_token: "{{ hetzner_dns_token }}"
+

roles/pub/files/sshd_config

@@ -1,4 +1,4 @@
-# pubnix sshd config
+# pub jail sshd config
 LogLevel INFO
 LoginGraceTime 1m
 PermitRootLogin no

roles/pub/tasks/main.yaml

@@ -75,7 +75,7 @@
 # create our own group[s]
 - name: Manage groups
   loop: "{{ jailgroups }}"
-  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/pubnix/root"
+  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"
 
 # The normal  ansible user  module can't be  used here,  because we're
 # talking  about jail  users  here. I  tried to  patch  the module  to
@@ -89,3 +89,14 @@
   loop: "{{ jailusers }}"
   ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"
 
+- name: add dns entry for jail host
+  community.dns.hetzner_dns_record:
+    state: present
+    zone: "{{ dns.zone }}"
+    record: "{{ role_name }}.{{ dns.zone }}"
+    type: AAAA
+    ttl: 300
+    value: "{{ jailip.stdout }}"
+    hetzner_token: "{{ hetzner_dns_token }}"
+
+

roles/pub/templates/Bastillefile.j2

@@ -1,6 +1,6 @@
 CP etc /
 
-PKG {{ jails.pubnix.pkgs | join(' ') }}
+PKG {{ jails.pub.pkgs | join(' ') }}
 
 SYSRC sshd_enable=YES
 SYSRC sendmail_enable=NONE