diff options
| author | Matthew Fennell <matthew@fennell.dev> | 2024-02-28 21:49:20 +0000 |
|---|---|---|
| committer | Matthew Fennell <matthew@fennell.dev> | 2024-02-28 21:49:20 +0000 |
| commit | c5eec5087a37931823b0618547e9c043d0e27c0c (patch) | |
| tree | 9b2f29aca3c3240b744d0cc89fbf8ad0409c472e /playbook.yaml | |
| parent | 9f0da9a2171547b101eaefcd17b75daa04669bc6 (diff) | |
Register DNS records via deSEC
I have moved DNS configuration for all of my servers to deSEC, thanks to its
easy-to-use REST interface. This allows me to configure DNS records as part of
the playbook, instead of having to add them manually for each new server I'd
like to create. The consequence of this is that the playbook now has a hard
dependency on deSEC.
Diffstat (limited to 'playbook.yaml')
| -rw-r--r-- | playbook.yaml | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/playbook.yaml b/playbook.yaml index d11ff6a..25bf1fe 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -8,6 +8,84 @@ hosts: xmpp_server tasks: + # We allow status code 400 here as this is returned by deSEC if the domain + # already exists. Ideally, we should filter out genuinely good/bad requests + # here using the response. + - name: Ensure domain exists in deSEC + ansible.builtin.uri: + url: https://desec.io/api/v1/domains/ + method: POST + status_code: [201, 400] + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: + name: "{{ virtual_host }}" + register: request + delegate_to: localhost + + - name: Ensure domain is registered + ansible.builtin.uri: + url: https://desec.io/api/v1/domains/{{ virtual_host }}/ + method: GET + headers: + Authorization: Token {{ desec_token }} + register: domain + delegate_to: localhost + + - name: Ensure domain to register DS record is registered + ansible.builtin.uri: + url: https://desec.io/api/v1/domains/?owns_qname={{ parent_host }} + method: GET + headers: + Authorization: Token {{ desec_token }} + register: parent_domain + delegate_to: localhost + + - name: Ensure DS is registered in parent domain + ansible.builtin.uri: + url: "https://desec.io/api/v1/domains/{{ domain_with_ds }}/rrsets/" + method: PUT + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: + - subname: "{{ ds_subname }}" + type: DS + ttl: 3600 + records: "{{ domain_keys }}" + delegate_to: localhost + + - name: Ensure records are registered in subdomain + ansible.builtin.uri: + url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/" + method: PUT + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: + - subname: "" + type: AAAA + ttl: 3600 + records: ["{{ public_ip }}"] + - subname: "turn" + type: CNAME + ttl: 3600 + records: ["{{ virtual_host }}."] + - subname: "upload" + type: CNAME + ttl: 3600 + records: ["{{ virtual_host }}."] + - subname: "_xmpps-client._tcp" + type: SRV + ttl: 3600 + records: ["0 5 5223 {{ virtual_host }}."] + - subname: "_xmpps-server._tcp" + type: SRV + ttl: 3600 + records: ["0 5 5270 {{ virtual_host }}."] + delegate_to: localhost + # We specifically use apt instead of the more general package module here, # because we want to ensure the cache is updated before we try and install # anything. This is needed because, on a freh Debian install on AWS @@ -202,3 +280,13 @@ name: coturn state: restarted become: true + + vars: + domain_keys: >- + {{- domain.json["keys"] + | map(attribute='ds') + | flatten + | select("search", " 13 2 ") -}} + parent_host: "{{ virtual_host.split('.')[1:] | join('.') }}" + domain_with_ds: "{{ parent_domain.json | map(attribute='name') | first }}" + ds_subname: "{{ virtual_host | regex_replace('.' + domain_with_ds, '') }}" |