From c5eec5087a37931823b0618547e9c043d0e27c0c Mon Sep 17 00:00:00 2001 From: Matthew Fennell Date: Wed, 28 Feb 2024 21:49:20 +0000 Subject: Register DNS records via deSEC I have moved DNS configuration for all of my servers to deSEC, thanks to its easy-to-use REST interface. This allows me to configure DNS records as part of the playbook, instead of having to add them manually for each new server I'd like to create. The consequence of this is that the playbook now has a hard dependency on deSEC. --- playbook.yaml | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/playbook.yaml b/playbook.yaml index d11ff6a..25bf1fe 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -8,6 +8,84 @@ hosts: xmpp_server tasks: + # We allow status code 400 here as this is returned by deSEC if the domain + # already exists. Ideally, we should filter out genuinely good/bad requests + # here using the response. + - name: Ensure domain exists in deSEC + ansible.builtin.uri: + url: https://desec.io/api/v1/domains/ + method: POST + status_code: [201, 400] + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: + name: "{{ virtual_host }}" + register: request + delegate_to: localhost + + - name: Ensure domain is registered + ansible.builtin.uri: + url: https://desec.io/api/v1/domains/{{ virtual_host }}/ + method: GET + headers: + Authorization: Token {{ desec_token }} + register: domain + delegate_to: localhost + + - name: Ensure domain to register DS record is registered + ansible.builtin.uri: + url: https://desec.io/api/v1/domains/?owns_qname={{ parent_host }} + method: GET + headers: + Authorization: Token {{ desec_token }} + register: parent_domain + delegate_to: localhost + + - name: Ensure DS is registered in parent domain + ansible.builtin.uri: + url: "https://desec.io/api/v1/domains/{{ domain_with_ds }}/rrsets/" + method: PUT + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: + - subname: "{{ ds_subname }}" + type: DS + ttl: 3600 + records: "{{ domain_keys }}" + delegate_to: localhost + + - name: Ensure records are registered in subdomain + ansible.builtin.uri: + url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/" + method: PUT + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: + - subname: "" + type: AAAA + ttl: 3600 + records: ["{{ public_ip }}"] + - subname: "turn" + type: CNAME + ttl: 3600 + records: ["{{ virtual_host }}."] + - subname: "upload" + type: CNAME + ttl: 3600 + records: ["{{ virtual_host }}."] + - subname: "_xmpps-client._tcp" + type: SRV + ttl: 3600 + records: ["0 5 5223 {{ virtual_host }}."] + - subname: "_xmpps-server._tcp" + type: SRV + ttl: 3600 + records: ["0 5 5270 {{ virtual_host }}."] + delegate_to: localhost + # We specifically use apt instead of the more general package module here, # because we want to ensure the cache is updated before we try and install # anything. This is needed because, on a freh Debian install on AWS @@ -202,3 +280,13 @@ name: coturn state: restarted become: true + + vars: + domain_keys: >- + {{- domain.json["keys"] + | map(attribute='ds') + | flatten + | select("search", " 13 2 ") -}} + parent_host: "{{ virtual_host.split('.')[1:] | join('.') }}" + domain_with_ds: "{{ parent_domain.json | map(attribute='name') | first }}" + ds_subname: "{{ virtual_host | regex_replace('.' + domain_with_ds, '') }}" -- cgit v1.2.3