update name-resolution role to work with new infra vars

roles/name-resolution/defaults/main.yml

@@ -1,2 +1,10 @@
 ---
-dhcp_hosts: "bootstrap"
+#dhcp_hosts: "bootstrap"
+
+# primary dns on gateway, backups on everything else
+dns_primary: 1.1.1.1
+dns_secondary: 1.0.0.1
+
+dns_over_https: false
+
+allowed_access_cidrs: []

roles/name-resolution/tasks/main.yml

@@ -7,10 +7,21 @@
     update_cache: no
     state: present
 
+- name: Create custom service folders
+  file:
+    path: /etc/systemd/system/{{ item }}.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  loop:
+    - dhcpd
+    - unbound
+
 - name: Make services autorestart themselves on failure
   template:
-    src: "{{ item }}.service.j2"
-    dest: /etc/systemd/system/{{ item }}.service
+    src: "custom-service-autorestart.j2"
+    dest: /etc/systemd/system/{{ item }}.service.d/autorestart.conf
     owner: root
     group: root
     mode: '0644'
@@ -49,7 +60,7 @@
 
 - name: Copy dhcpd.conf
   template:
-    src: dhcpd.conf.j2
+    src: dhcpd/dhcpd.conf.j2
     dest: /etc/dhcp/dhcpd.conf
     owner: root
     group: root
@@ -59,7 +70,7 @@
 
 - name: Copy unbound.conf
   template:
-    src: unbound.conf.j2
+    src: unbound/unbound.conf.j2
     dest: /etc/unbound/unbound.conf
     owner: root
     group: unbound
@@ -69,17 +80,16 @@
 
 - name: Copy unbound resolution files
   template:
-    src: "{{ item }}.j2"
+    src: "unbound/{{ item }}.j2"
     dest: /etc/unbound/local.d/{{ item }}
     owner: root
     group: unbound
     mode: '0640'
   loop:
-    - lan-name-resolution.conf
-    - plug-onion-addresses.conf
     - server.home.conf
-    - local.conf
     - home-lan.conf
+    - lan-name-resolution.conf
+    - plug-onion-addresses.conf
   notify:
     - Restart unbound
 
@@ -117,22 +127,16 @@
     ethernet: "{{ (ansible_interfaces | reject('search', 'podman') | list | sort)[0] }}"
 
 - name: Configure static IP on {{ ethernet }}
-  lineinfile:
-    path: /etc/sysconfig/network-scripts/ifcfg-{{ ethernet }}
-    regexp: "{{ item.regexp | default(omit) }}"
-    line: "{{ item.line }}"
-  loop:
-    - { regexp: 'BOOTPROTO=', line: 'BOOTPROTO="none"' }
-    - { regexp: 'IPADDR=', line: 'IPADDR="10.0.0.2"' }
-    - { regexp: 'PREFIX=', line: 'PREFIX="24"' }
-    - { regexp: 'GATEWAY=' ,line: 'GATEWAY="10.0.0.1"' }
-    - { regexp: 'DNS1=', line: 'DNS1="{{ dns_primary }}"' }
-    - { regexp: 'DNS2=', line: 'DNS2="{{ dns_secondary }}"' }
-    - { regexp: 'IPV4_FAILURE_FATAL=', line: 'IPV4_FAILURE_FATAL="yes"' }
-    - { regexp: 'IPV6INIT=', line: 'IPV6INIT="NO"' }
-    - { regexp: 'ZONE=', line: 'ZONE="home"' }
-  loop_control:
-    label: "{{ item.line }}"
+  nmcli:
+    conn_name: "{{ ethernet }}"
+    ifname: "{{ ethernet }}"
+    type: ethernet
+    state: present
+    ip4: "{{ gateway_server_ip }}"
+    gw4: "{{ actual_gateway_ip }}"
+    mtu: 9000
+    dns4:
+      - "{{ dns_primary }}"
+      - "{{ dns_secondary }}"
   notify:
     - Restart NetworkManager
-

roles/name-resolution/templates/custom-service-autorestart.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+[Service]
+Restart=on-failure
+RestartSec=5s
+StartLimitIntervalSec=30
+StartLimitBurst=5

roles/name-resolution/templates/dhcpd.service.j2

@@ -1,19 +0,0 @@
-[Unit]
-Description=DHCPv4 Server Daemon
-Documentation=man:dhcpd(8) man:dhcpd.conf(5)
-Wants=network-online.target
-After=network-online.target
-After=time-sync.target
-
-[Service]
-Type=notify
-EnvironmentFile=-/etc/sysconfig/dhcpd
-ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid $DHCPDARGS
-StandardError=null
-Restart=on-failure
-RestartSec=5s
-StartLimitIntervalSec=30
-StartLimitBurst=5
-
-[Install]
-WantedBy=multi-user.target

roles/name-resolution/templates/dhcpd.conf.j2 → roles/name-resolution/templates/dhcpd/dhcpd.conf.j2

@@ -15,23 +15,24 @@ option ms-classless-static-routes code 249 = array of integer 8;
 option rfc3442-classless-static-routes 24, 192, 168, 1, 10, 0, 0, 8, 0, 10, 0, 0, 1;
 option ms-classless-static-routes 24, 192, 168, 1, 10, 0, 0, 8, 0, 10, 0, 0, 1;
 
-subnet 10.0.0.0 netmask 255.255.255.0 {
+subnet {{ dhcp_cidr }} netmask {{ dhcp_netmask }} {
 
-  option routers 10.0.0.1;
+  option routers {{ dhcp_routers }};
 
-  option domain-name-servers 10.0.0.2, {{ dns_primary }}, {{ dns_secondary }};
+  option domain-name-servers {{ gateway_server_ip }}, {{ dns_primary }}, {{ dns_secondary }};
 
-  # WINS info for Windows capability
-  option netbios-name-servers 10.0.0.4;
-  option netbios-node-type 8; 
+  ## WINS info for Windows capability
+  #option netbios-name-servers 10.0.0.4;
+  #option netbios-node-type 8; 
 
   # Dynamic IPs
-  range 10.0.0.100 10.0.0.200;
+  range {{ dhcp_range_start }} {{ dhcp_range_end }};
 
   class "secured" {
-    option routers 10.0.0.2;
+    option routers {{ gateway_server_ip }};
 
     # 192.168.1.0/24 thru 10.0.0.8, 10.0.0.2 as default route
+    #option rfc3442-classless-static-routes 24, 192, 168, 1, 10, 0, 0, 8, 0, 10, 0, 0, 2;
     option rfc3442-classless-static-routes 24, 192, 168, 1, 10, 0, 0, 8, 0, 10, 0, 0, 2;
     option ms-classless-static-routes 24, 192, 168, 1, 10, 0, 0, 8, 0, 10, 0, 0, 2;
 
@@ -55,11 +56,11 @@ subnet 10.0.0.0 netmask 255.255.255.0 {
     match hardware;
   }
 
-{% for node in nodes %}
+{% for node in reservations %}
   subclass "{{ node.type }}" 1:{{ node.mac }}; # {{ node.name }}
 {% endfor %}
 
-{% for node in nodes %}
+{% for node in reservations %}
   host {{ node.name }}
   {
     hardware ethernet {{ node.mac }};

roles/name-resolution/templates/hosts.j2

@@ -2,7 +2,7 @@
 ::1		localhost	localhost.localdomain	localhost6	localhost6.localdomain6
 
 # BEGIN ANSIBLE MANAGED BLOCK
-{% for node in nodes %}
+{% for node in reservations %}
 {{ node.ip }}	{{ node.name }}	{{ node.name }}.home	{{ node.name }}.home.lan
 {% endfor %}
 # END ANSIBLE MANAGED BLOCK

roles/name-resolution/templates/local.conf.j2

@@ -1,9 +0,0 @@
-# {{ ansible_managed }}
-
-local-data: "local A 10.0.0.4"
-local-data-ptr: "10.0.0.4 local"
-
-{% for node in nodes %}
-local-data: "{{ node.name }}.local A {{ node.ip }}"
-local-data-ptr: "{{ node.ip }} {{ node.name }}.local"
-{% endfor %}

roles/name-resolution/templates/unbound.service.j2

@@ -1,23 +0,0 @@
-[Unit]
-Description=Unbound recursive Domain Name Server
-After=network.target
-After=unbound-keygen.service
-Wants=unbound-keygen.service
-Wants=unbound-anchor.timer
-Before=nss-lookup.target
-Wants=nss-lookup.target
-
-[Service]
-Type=simple
-EnvironmentFile=-/etc/sysconfig/unbound
-ExecStartPre=/usr/sbin/unbound-checkconf
-ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R
-ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS
-ExecReload=/usr/sbin/unbound-control reload
-Restart=on-failure
-RestartSec=5s
-StartLimitIntervalSec=30
-StartLimitBurst=5
-
-[Install]
-WantedBy=multi-user.target

roles/name-resolution/templates/home-lan.conf.j2 → roles/name-resolution/templates/unbound/home-lan.conf.j2

@@ -3,7 +3,7 @@
 local-data: "home.lan A 10.0.0.4"
 local-data-ptr: "10.0.0.4 home.lan"
 
-{% for node in nodes %}
+{% for node in reservations %}
 local-data: "{{ node.name }}.home.lan A {{ node.ip }}"
 local-data-ptr: "{{ node.ip }} {{ node.name }}.home.lan"
 {% endfor %}

roles/name-resolution/templates/lan-name-resolution.conf.j2 → roles/name-resolution/templates/unbound/lan-name-resolution.conf.j2

@@ -1,6 +1,6 @@
 # {{ ansible_managed }}
 
-{% for node in nodes %}
+{% for node in reservations %}
 local-data: "{{ node.name }} A {{ node.ip }}"
 local-data-ptr: "{{ node.ip }} {{ node.name }}"
 {% endfor %}

roles/name-resolution/templates/server.home.conf.j2 → roles/name-resolution/templates/unbound/server.home.conf.j2

@@ -1,10 +1,10 @@
-{% for node in nodes %}
+{% for node in reservations %}
 {% if node['name'] == 'nas' %}
 local-data: "server.home A {{ node['ip'] }}"
 local-data-ptr: "{{ node['ip'] }} server.home"
 local-data: "www.server.home A {{ node['ip'] }}"
 local-data-ptr: "{{ node['ip'] }} www.server.home"
-{% for service in heimdall_services %}
+{% for service in server_home_subdomains %}
 local-data: "{{ service }}.server.home A {{ node['ip'] }}"
 local-data-ptr: "{{ node['ip'] }} {{ service }}.server.home"
 {% endfor %}

roles/name-resolution/templates/unbound.conf.j2 → roles/name-resolution/templates/unbound/unbound.conf.j2

@@ -236,7 +236,9 @@ server:
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow
 	access-control: 127.0.0.0/8 allow
-	access-control: 10.0.0.0/24 allow
+{% for cidr in allowed_access_cidrs %}
+	access-control: {{ cidr }} allow
+{% endfor %}
 
 	# tag access-control with list of tags (in "" with spaces between)
 	# Clients using this access control element use localzones that