Commit 3594c4eb authored by Tomas Krizek's avatar Tomas Krizek

Merge branch 'packaging-doh' into 'master'

packaging: DoH

See merge request !806
parents 909d5dd9 a4f71463
......@@ -302,11 +302,11 @@ root.hints:
- scripts/update-root-hints.sh
test:valgrind:
<<: *test_flaky # lost block in /bin/bash during ta_update
when: delayed
start_in: '30 seconds'
script:
- ${MESON_TEST} --suite unit --suite config --wrap="valgrind --leak-check=full --trace-children=yes --quiet --suppressions=/lj.supp"
- ${MESON_TEST} --suite unit --suite config --no-suite snowflake --wrap="valgrind --leak-check=full --trace-children=yes --quiet --suppressions=/lj.supp"
- MESON_TESTTHREADS=1 ${MESON_TEST} --wrap="valgrind --leak-check=full --trace-children=yes --quiet --suppressions=/lj.supp" --suite snowflake
# }}}
# extended {{{
......
......@@ -66,8 +66,8 @@ FROM runtime
LABEL cz.knot-resolver.vendor="CZ.NIC"
LABEL maintainer="knot-resolver-users@lists.nic.cz"
# Export DNS over UDP & TCP, DNS-over-TLS, web interface
EXPOSE 53/UDP 53/TCP 853/TCP 8053/TCP
# Export DNS over UDP & TCP, DNS-over-HTTPS, DNS-over-TLS, web interface
EXPOSE 53/UDP 53/TCP 443/TCP 853/TCP 8453/TCP
# Fetch Knot Resolver + Knot DNS libraries from build image
COPY --from=build /tmp/root/ /
......
......@@ -6,8 +6,8 @@ The server is in the `daemon` directory, it works out of the box without any con
.. code-block:: bash
$ kresd -h # Get help
$ kresd -a ::1
$ kresd -v # run with defaults in verbose mode
$ kresd -h # Get help
If you're using our packages, they also provide systemd integration. To start the resolver under systemd, you can use the ``kresd@1.service`` service. By default, the resolver only binds to local interfaces.
......@@ -385,8 +385,14 @@ Environment
Trust anchors and DNSSEC
^^^^^^^^^^^^^^^^^^^^^^^^
Since version 4.0, *DNSSEC validation is enabled by default*. To turn it off,
add the following snippet to your configuration file.
Since version 4.0, **DNSSEC validation is enabled by default**.
This is secure default and should not be changed unless absolutely necessary.
**Options in this section are intended only for expert users and normally
should not be needed.**
If you really need to turn DNSSEC off and are okay with lowering security of your
system by doing so, add the following snippet to your configuration file.
.. code-block:: lua
......@@ -398,6 +404,10 @@ and :rfc:`7646` negative trust anchors. Depending on your distribution, DNSSEC
trust anchors should be either maintained in accordance with the distro-wide
policy, or automatically maintained by the resolver itself.
In practice this means that you can forget about it and your favorite Linux
distribution will take care of it for you.
.. function:: trust_anchors.add_file(keyfile[, readonly = false])
:param string keyfile: path to the file.
......
......@@ -3,15 +3,36 @@
Network configuration
^^^^^^^^^^^^^^^^^^^^^
For when listening on ``localhost`` just doesn't cut it.
Modern Linux distributions use so-called *Systemd socket activation*, which
effectively means that IP addresses and ports to listen on are configured
in Systemd configuration files.
**Systemd socket configuration**
Older Linux systems and all non-Linux systems do not support this modern method
and have to resort to old fashioned way of configuring network interfaces using
``net.listen()`` configuration call.
Most notable examples of such systems are CentOS 7 and macOS.
.. warning:: On machines with multiple IP addresses avoid listening on wildcards
``0.0.0.0`` or ``::``. Knot Resolver could answer from different IP
addresses if the network address ranges overlap,
and clients would probably refuse such a response.
**Network configuration using systemd**
If you're using our packages with systemd with sockets support (not supported
on CentOS 7), network interfaces are configured using systemd drop-in files for
``kresd.socket`` and ``kresd-tls.socket``.
on CentOS 7), network interfaces are configured using systemd drop-in files.
Each protocol has its own configuration file:
.. csv-table::
:header: "**Network protocol**", "**Socket file name**"
"DNS (UDP+TCP, :rfc:`1034`)","``kresd.socket``"
":ref:`DNS-over-TLS (DoT) <tls-server-config>`","``kresd-tls.socket``"
":ref:`mod-http-doh`","``kresd-doh.socket``"
":ref:`Web management <mod-http-built-in-services>`","``kresd-webmgmt.socket``"
To configure kresd to listen on public interface, create a drop-in file:
To configure kresd to listen on a public interface using the original DNS protocol,
create a drop-in file:
.. code-block:: bash
......@@ -20,13 +41,41 @@ To configure kresd to listen on public interface, create a drop-in file:
.. code-block:: none
# /etc/systemd/system/kresd.socket.d/override.conf
# always listen on UDP (datagram) and TCP (stream) as well
[Socket]
ListenDatagram=192.0.2.115:53
ListenStream=192.0.2.115:53
.. note:: If you change network interfaces of systemd sockets for already running
kresd instance, make sure to call ``systemctl restart system-kresd.slice`` for
these changes to take effect.
Configuration you provide is automatically merged with defaults from your
distribution. It is also possible to check resulting configuration using
``systemctl cat``:
.. code-block:: bash
$ systemctl cat kresd.socket
.. code-block:: none
# merged result: user configuration + distro defaults
[Socket]
FileDescriptorName=dns
FreeBind=true
BindIPv6Only=both
ListenDatagram=[::1]:53
ListenStream=[::1]:53
ListenDatagram=127.0.0.1:53
ListenStream=127.0.0.1:53
ListenDatagram=192.0.2.115:53
ListenStream=192.0.2.115:53
.. _kresd-socket-override-port:
The default locahost interface/port can also be removed/overriden by using an
The default localhost interface/port can also be removed/overriden by using an
empty ``ListenDatagram=`` or ``ListenStream=`` directive. This can be used when
you want to configure kresd to listen on all IPv4/IPv6 network interfaces (if
you've disabled IPv6 support in kernel, use ``0.0.0.0`` instead of ``[::]`` ).
......@@ -45,9 +94,10 @@ you've disabled IPv6 support in kernel, use ``0.0.0.0`` instead of ``[::]`` ).
possible workarounds, see
https://gitlab.labs.nic.cz/knot/knot-resolver/issues/445
It can also be useful if you want to use the Knot DNS with the `dnsproxy
module`_ to have both resolver and authoritative server running on the same
machine.
It can also be useful if you want to use the Knot DNS authoritative server
with the `dnsproxy module`_ to have both resolver and authoritative server
running on the same machine. This is not recommended configuration but it can
be done like this:
.. code-block:: none
......@@ -63,7 +113,7 @@ machine.
.. _kresd-tls-socket-override-port:
The ``kresd-tls.socket`` can also be configured in the same way to listen for
TLS connections.
DNS-over-TLS connections (:rfc:`7858`).
.. code-block:: bash
......@@ -72,67 +122,98 @@ TLS connections.
.. code-block:: none
# /etc/systemd/system/kresd-tls.socket.d/override.conf
# specify only TCP (stream), DTLS is not supported
[Socket]
ListenStream=192.0.2.115:853
**Daemon network configuration**
If you don't use systemd with sockets to run kresd, network interfaces are
configured in the config file.
When configuring sockets for :ref:`mod-http-doh`, make sure you have
``kresd-doh.socket`` installed, it might be part of a separate
``knot-resolver-module-http`` package.
.. tip:: Use declarative interface for network.
.. warning:: Make sure you read section :ref:`mod-http-doh` before exposing
the DoH protocol to outside.
.. code-block:: lua
For example, to remove the default localhost:44353 and listen on all interfaces
on port 443, create the following drop-in file for ``kresd-doh.socket``:
net = { '127.0.0.1', net.eth0, net.eth1.addr[1] }
net.ipv4 = false
.. warning:: On machines with multiple IP addresses avoid binding to wildcard ``0.0.0.0`` or ``::`` (see example below). Knot Resolver could answer from different IP in case the ranges overlap and client will probably refuse such a response.
.. code-block:: bash
.. code-block:: lua
$ systemctl edit kresd-doh.socket
net = { '0.0.0.0' }
.. code-block:: bash
# /etc/systemd/system/kresd-doh.socket.d/override.conf
[Socket]
ListenStream=
ListenStream=[::]:443
.. envvar:: net.ipv6 = true|false
Make sure no other service is using port 443, as that will result in
unpredictable behaviour. Alternately, you can use port 44353 where a collision
is unlikely.
:return: boolean (default: true)
Also, don't forget to :ref:`load http module in configuration <mod-http-example>`
file, otherwise the socket won't work.
Enable/disable using IPv6 for contacting upstream nameservers.
**Legacy network configuration using configuration file**
.. envvar:: net.ipv4 = true|false
:return: boolean (default: true)
Enable/disable using IPv4 for contacting upstream nameservers.
If you don't use systemd with sockets to run kresd, addresses and ports to listen
on are configured in the config file.
.. function:: net.listen(addresses, [port = 53, { kind = 'dns' }])
:return: boolean
Listen on addresses; port and flags are optional.
The addresses can be specified as a string or device,
or a list of addresses (recursively).
The addresses can be specified as a string or device.
The command can be given multiple times,
but repeating an address-port combination is an error.
Port 853 implies ``kind = 'tls'`` but it is always better to be explicit.
If you specify port 853, ``kind = 'tls'`` by default.
.. csv-table::
:header: "**Network protocol**", "**Configuration command**"
Examples:
"DNS (UDP+TCP, :rfc:`1034`)","``net.listen('192.0.2.123', 53)``"
":ref:`DNS-over-TLS (DoT) <tls-server-config>`","``net.listen('192.0.2.123', 853, { kind = 'tls' })``"
":ref:`mod-http-doh`","``net.listen('192.0.2.123', 443, { kind = 'doh' })``"
":ref:`Web management <mod-http-built-in-services>`","``net.listen('192.0.2.123', 8453, { kind = 'webmgmt' })``"
Examples:
.. code-block:: lua
net.listen('::1')
net.listen(net.lo, 5353)
net.listen({net.eth0, '127.0.0.1'}, 53853, { kind = 'tls' })
net.listen(net.lo, 53)
net.listen(net.eth0, 853, { kind = 'tls' })
net.listen('::', 443, { kind = 'doh' }) -- see http module
net.listen('::', 8453, { kind = 'webmgmt' }) -- see http module
.. warning:: Make sure you read section :ref:`mod-http-doh` before exposing
the DNS-over-HTTP protocol to outside.
.. function:: net.close(address, [port])
:return: boolean (at least one endpoint closed)
Close all endpoints listening on the specified address, optionally restricted by port as well.
**Additional network configuration options**
Following commands are useful in special situations and can be usef with and without systemd socket activation:
.. envvar:: net.ipv6 = true|false
:return: boolean (default: true)
Enable/disable using IPv6 for contacting upstream nameservers.
.. envvar:: net.ipv4 = true|false
:return: boolean (default: true)
Enable/disable using IPv4 for contacting upstream nameservers.
.. function:: net.list()
:return: Table of bound interfaces.
......@@ -229,21 +310,13 @@ configured in the config file.
TLS server configuration
^^^^^^^^^^^^^^^^^^^^^^^^
.. note:: Installations using systemd should be configured using systemd-specific procedures
described in manual page ``kresd.systemd(7)``.
DNS-over-TLS server (:rfc:`7858`) can be enabled using ``{tls = true}`` parameter
in :c:func:`net.listen()` function call. For example:
.. code-block:: lua
> net.listen("::", 53) -- plain UDP+TCP on port 53 (standard DNS)
> net.listen("::", 853, {tls = true}) -- DNS-over-TLS on port 853 (standard DoT)
> net.listen("::", 443, {tls = true}) -- DNS-over-TLS on port 443 (non-standard)
DNS-over-TLS server (:rfc:`7858`) is enabled by default on loopback interface port 853.
Information how to configure listening on specific IP addresses is in previous sections
:ref:`network-configuration`.
By default an self-signed certificate will be generated. For serious deployments
it is strongly recommended to provide TLS certificates signed by a trusted CA
using :c:func:`net.tls()`.
By default a self-signed certificate is generated. For serious deployments
it is strongly recommended to configure your own TLS certificates signed
by a trusted CA. This is done using function :c:func:`net.tls()`.
.. function:: net.tls([cert_path], [key_path])
......
......@@ -159,7 +159,7 @@ function M.add_interface(conf)
local addr_str
if not conf.path then
conf.host = conf.host or 'localhost'
conf.port = conf.port or 8053
conf.port = conf.port or 8453
addr_str = string.format('%s@%d', conf.host, conf.port)
else
if conf.host or conf.port then
......
......@@ -24,6 +24,7 @@ depends=(
'systemd'
)
optdepends=(
'lua51-basexx: experimental_dot_auth module',
'lua51-http: http module',
'lua51-filesystem: prefill module',
)
......@@ -61,7 +62,7 @@ package() {
DESTDIR=${pkgdir} ninja -C build_arch install
# add kresd.target to multi-user.target.wants to support enabling kresd services
install -dm 0755 "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants"
install -d -m 0755 "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants"
ln -s ../kresd.target "${pkgdir}/usr/lib/systemd/system/multi-user.target.wants/kresd.target"
# remove modules with missing dependencies
......
......@@ -39,8 +39,10 @@ Replaces:
Breaks:
libkres9 (<< 3.2.1-2),
Recommends:
knot-resolver-module-http,
lua-basexx,
lua-cqueues,
Suggests:
knot-resolver-module-http,
Description: caching, DNSSEC-validating DNS resolver
The Knot Resolver is a caching full resolver implementation
written in C and LuaJIT, including both a resolver library and a
......@@ -61,11 +63,14 @@ Description: caching, DNSSEC-validating DNS resolver
Package: knot-resolver-module-http
Architecture: all
Depends:
knot-resolver,
libjs-bootstrap,
libjs-d3,
libjs-jquery,
lua-cqueues (>= 20171014),
lua-http,
lua-mmdb,
systemd,
${misc:Depends},
${shlibs:Depends},
Breaks:
......
usr/lib/systemd/system/kresd@.service.d/module-http.conf lib/systemd/system/kresd@.service.d/
usr/lib/systemd/system/kresd-doh.socket lib/systemd/system/
usr/lib/systemd/system/kresd-webmgmt.socket lib/systemd/system/
usr/lib/knot-resolver/kres_modules/http*.lua
usr/lib/knot-resolver/kres_modules/prometheus.lua
usr/lib/knot-resolver/kres_modules/http/*.css
......
#!/bin/sh
set -e
if [ "$1" = "configure" ]; then
systemctl daemon-reload || true
fi
/lib/systemd/system/kresd@.service.d
/var/lib/knot-resolver
etc/knot-resolver/kresd.conf
usr/lib/systemd/system/* lib/systemd/system/
usr/lib/systemd/system/kresd@.service lib/systemd/system/
usr/lib/systemd/system/kresd.target lib/systemd/system/
usr/lib/systemd/system/kresd.socket lib/systemd/system/
usr/lib/systemd/system/kresd-tls.socket lib/systemd/system/
usr/lib/systemd/system/kresd-control@.socket lib/systemd/system/
usr/lib/*.so.*
usr/lib/tmpfiles.d/knot-resolver.conf
usr/lib/knot-resolver/*.so
......@@ -21,6 +25,7 @@ usr/lib/knot-resolver/kres_modules/renumber.lua
usr/lib/knot-resolver/kres_modules/serve_stale.lua
usr/lib/knot-resolver/kres_modules/ta_sentinel.lua
usr/lib/knot-resolver/kres_modules/ta_signal_query.lua
usr/lib/knot-resolver/kres_modules/ta_update.lua
usr/lib/knot-resolver/kres_modules/view.lua
usr/lib/knot-resolver/kres_modules/workarounds.lua
usr/sbin/kresc
......
......@@ -47,25 +47,27 @@ BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libuv)
BuildRequires: pkgconfig(luajit) >= 2.0
Requires: systemd
Requires: systemd
# Distro-dependent dependencies
%if 0%{?rhel}
BuildRequires: lmdb-devel
# Lua 5.1 version of the libraries have different package names
Requires: lua-basexx
Requires: lua-socket
Requires: lua-sec
Requires: lua-filesystem
Requires(pre): shadow-utils
Requires(pre): shadow-utils
%endif
%if 0%{?fedora}
BuildRequires: pkgconfig(lmdb)
BuildRequires: python3-sphinx
Requires: lua-cqueues-compat
Requires: lua5.1-basexx
Requires: lua5.1-cqueues
Requires: lua-filesystem-compat
Requires: lua-socket-compat
Requires: lua-sec-compat
Requires(pre): shadow-utils
Requires(pre): shadow-utils
%endif
%if 0%{?suse_version}
%define NINJA ninja
......@@ -74,7 +76,7 @@ BuildRequires: python3-Sphinx
Requires: lua51-luafilesystem
Requires: lua51-luasocket
Requires: lua51-luasec
Requires(pre): shadow
Requires(pre): shadow
%endif
%if "x%{?rhel}" == "x"
......@@ -112,6 +114,24 @@ Requires: %{name} = %{version}-%{release}
Documentation for Knot Resolver
%endif
%if "x%{?suse_version}" == "x"
%package module-http
Summary: HTTP/2 module for Knot Resolver
Requires: knot-resolver
%if 0%{?fedora}
Requires: lua5.1-http
Requires: lua5.1-mmdb
%else
Requires: lua-http
Requires: lua-mmdb
%endif
%description module-http
HTTP/2 module for Knot Resolver has multiple uses. It enables use of
DNS-over-HTTP, can serve as API ednpoint for other modules or provide a web
interface for local visualization of the resolver cache and queries.
%endif
%prep
%if 0%{GPG_CHECK}
export GNUPGHOME=./gpg-keyring
......@@ -161,10 +181,16 @@ install -m 0750 -d %{buildroot}/run/%{name}
# remove modules with missing dependencies
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/etcd.lua
%if 0%{?suse_version}
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua
rm -r %{buildroot}%{_libdir}/knot-resolver/kres_modules/http
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/http.lua
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/http_trace.lua
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/http*.lua
rm %{buildroot}%{_libdir}/knot-resolver/kres_modules/prometheus.lua
rm %{buildroot}%{_unitdir}/kresd@.service.d/module-http.conf
rm %{buildroot}%{_unitdir}/kresd-doh.socket
rm %{buildroot}%{_unitdir}/kresd-webmgmt.socket
%endif
# rename doc directory for centos, opensuse
%if "x%{?fedora}" == "x"
......@@ -207,12 +233,15 @@ getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysc
%attr(664,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.keys
%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.hints
%attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/icann-ca.pem
%{_unitdir}/kresd*.service
%{_unitdir}/kresd@.service
%{_unitdir}/kresd.target
%dir %{_unitdir}/multi-user.target.wants
%{_unitdir}/multi-user.target.wants/kresd.target
%if "x%{?rhel}" == "x"
%{_unitdir}/kresd*.socket
%dir %{_unitdir}/kresd@.service.d
%{_unitdir}/kresd.socket
%{_unitdir}/kresd-tls.socket
%{_unitdir}/kresd-control@.socket
%ghost /run/%{name}/
%{_mandir}/man7/kresd.systemd.7.gz
%else
......@@ -223,7 +252,32 @@ getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysc
%{_sbindir}/kresd
%{_sbindir}/kresc
%{_libdir}/libkres.so.*
%{_libdir}/knot-resolver
%dir %{_libdir}/knot-resolver
%{_libdir}/knot-resolver/*.so
%{_libdir}/knot-resolver/*.lua
%dir %{_libdir}/knot-resolver/kres_modules
%{_libdir}/knot-resolver/kres_modules/*.so
%{_libdir}/knot-resolver/kres_modules/daf
%{_libdir}/knot-resolver/kres_modules/daf.lua
%{_libdir}/knot-resolver/kres_modules/detect_time_jump.lua
%{_libdir}/knot-resolver/kres_modules/detect_time_skew.lua
%{_libdir}/knot-resolver/kres_modules/dns64.lua
%if "x%{?suse_version}" == "x"
%{_libdir}/knot-resolver/kres_modules/experimental_dot_auth.lua
%endif
%{_libdir}/knot-resolver/kres_modules/graphite.lua
%{_libdir}/knot-resolver/kres_modules/policy.lua
%{_libdir}/knot-resolver/kres_modules/predict.lua
%{_libdir}/knot-resolver/kres_modules/prefill.lua
%{_libdir}/knot-resolver/kres_modules/priming.lua
%{_libdir}/knot-resolver/kres_modules/rebinding.lua
%{_libdir}/knot-resolver/kres_modules/renumber.lua
%{_libdir}/knot-resolver/kres_modules/serve_stale.lua
%{_libdir}/knot-resolver/kres_modules/ta_sentinel.lua
%{_libdir}/knot-resolver/kres_modules/ta_signal_query.lua
%{_libdir}/knot-resolver/kres_modules/ta_update.lua
%{_libdir}/knot-resolver/kres_modules/view.lua
%{_libdir}/knot-resolver/kres_modules/workarounds.lua
%{_mandir}/man8/kresd.8.gz
%files devel
......@@ -237,6 +291,18 @@ getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysc
%doc %{_pkgdocdir}/html
%endif
%if "x%{?suse_version}" == "x"
%files module-http
%if 0%{?fedora}
%{_unitdir}/kresd@.service.d/module-http.conf
%{_unitdir}/kresd-doh.socket
%{_unitdir}/kresd-webmgmt.socket
%endif
%{_libdir}/knot-resolver/kres_modules/http
%{_libdir}/knot-resolver/kres_modules/http*.lua
%{_libdir}/knot-resolver/kres_modules/prometheus.lua
%endif
%changelog
* Fri Feb 16 2018 Tomas Krizek <tomas.krizek@nic.cz> - 2.1.0-1
- see NEWS or https://www.knot-resolver.cz/
......
[defaults]
# additional paths to search for roles in, colon separated
roles_path = ../ansible-roles
# Knot Resolver testing role
**WARNING**: This is for testing only, not currently suitable for production.
Role which sets up Knot Resolver and performs checks it is running, including:
- Setting up upstream repositories
- Installing Knot Resolver
- Perfoming basic tests
---
repos:
- knot-resolver-latest
distro: "{{ ansible_distribution | replace(' ', '_') }}"
repo_file_url: "https://download.opensuse.org/repositories/home:CZ-NIC:{{ item }}/{{ obs_distro_name }}/home:CZ-NIC:{{ item }}.repo"
update_packages: false
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.15 (GNU/Linux)
mQENBFqFjysBCADWVYuSgTuduZNAUpq4w+X9EnBwDMibkJCZuNvjvwXNaFeWKOHf
YEwcSFETOazApzjLxBj/eDTHtl0w0wvJUWsbTOEdJjue1X05X3nxQIiyXXIqjtzY
OmMyJa2Y9zUWwdAj+miI81EaWN0aDSoa4LG+9cqlYIOO4jZnAQ3uVvCRypB9Lx6r
2HGTSWaw77l3CHTPD0YVLbv90a5ChNsb3JMpiPhhK8F3pQxu8CfTz/0npEHxbRlK
xWNIr773bhDonnGsapGPfrdy5afb/AxCiUuflKCrG0qg1l8M5OT4LxnnB8sqTXwH
EFwHaWkwhiBG2hRG/Jco3k4sytnwr82VFKD1ABEBAAG0OGhvbWU6Q1otTklDIE9C
UyBQcm9qZWN0IDxob21lOkNaLU5JQ0BidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMB
CAAoBQJahY8rAhsDBQkEHrAABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRB0
Bi2zah9ACWtKB/9CB5Ms/zC1kbYP6I7FrDi0KzfekQ/SrXq4acf/UrJwguVGniFs
f/SevD7Knyvg9MBrVXguzE14oOpahJe0jHnDQCFe6S6mT7VybtylOUECx2f3zd2S
MYQ96kzNQiP1yfaWi/bOi+ykpVZC7GYL9rMW2uzKisZSB64KT7Efd+0FQf57np0I
ZnW54m62Oaf1ltX6Y0VNLhz8jOM4xK1EqxwMncj1/a+yB0+a8w1j8gR2yluQTfdG
9QsUNU4VT86he5aYivVTJnY0XgqZYvXrqM0D0YfabjyGosc1zrnWwO5wVrGhcVYM
obTkcAN+C2nm01R2ip2bjJ8fz8nYvYzNGkpniEYEExECAAYFAlqFjywACgkQOzAR
t2udZSNgVACgiu9vroIHHXRMIx/w8JJrNEq/LaoAn2UVyQrPbspOV6mlToaKEa3r
YheD
=IUCb
-----END PGP PUBLIC KEY BLOCK-----
---
- name: doh_config set up kresd.conf
blockinfile:
marker: "-- {mark} ANSIBLE MANAGED BLOCK"
block: |
modules.load('http')
path: /etc/knot-resolver/kresd.conf
---
- name: doh_config set up kresd.conf
blockinfile:
marker: -- {mark} ANSIBLE MANAGED BLOCK
block: |
net.listen('127.0.0.1', 44353, { kind = 'doh' })
modules.load('http')
path: /etc/knot-resolver/kresd.conf
insertbefore: BOF
---
- name: Install EPEL
yum:
name: epel-release
state: present
- name: Download repo file(s)
get_url:
url: "{{ repo_file_url }}"
dest: /etc/yum.repos.d/home:CZ-NIC:{{ item }}.repo
with_items: "{{ repos }}"
---
- name: Add upstream package signing key
apt_key:
data: "{{ lookup('file', 'Release.pub') }}"
state: present
- name: Add OBS repo(s)
apt_repository:
repo: >
deb http://download.opensuse.org/repositories/home:/CZ-NIC:/{{ item }}/{{ obs_distro_name }}/ /
state: present
update_cache: true
with_items: "{{ repos }}"
---
- name: Download repo file(s)
get_url:
url: "{{ repo_file_url }}"
dest: "/etc/yum.repos.d/home:CZ-NIC:{{ item }}.repo"
with_items: "{{ repos }}"
---
- name: Add upstream repo(s)
zypper_repository:
repo: "{{ repo_file_url}}"
state: present
disable_gpg_check: true # auto_import_keys is broken
with_items: "{{ repos }}"
- name: Refresh all repositories
zypper_repository:
repo: '*'
runrefresh: true
---
- name: Include distribution specific vars
include_vars: "{{ distro }}.yaml"
- name: Configure upstream reporitories
include: "configure_repos/{{ distro }}.yaml"
- name: Update all packages
package:
name: '*'
state: latest
when: update_packages
- name: Install packages
package:
name: "{{ packages }}"
state: latest
- name: Always print package version at the end
block:
- include: restart_kresd.yaml
- include: test_udp.yaml
- include: test_tcp.yaml
- include: test_tls.yaml
- include: test_dnssec.yaml
- name: Test DoH
block:
- name: Install knot-resolver-module-http
package:
name: knot-resolver-module-http
state: latest
- include: configure_doh.yaml
when: ansible_distribution in ["Fedora", "Debian", "Ubuntu"]