ADD DNSDist(DoH DoT) service

DNSservice.yml

@@ -0,0 +1,16 @@
+
+---
+- hosts: test
+  roles:
+    - common
+    - ssl-cert
+    - unbound
+    - dnsdist
+    # déclaration de la variables globales
+  vars:
+    email: votre_email
+    cthostname: nom_du_conteneur
+    domain: nom_de_domaine
+    create_user: false
+    installCertbot: false
+  

roles/dnsdist/files/dnsdist.conf

@@ -0,0 +1,29 @@
+addACL('0.0.0.0/0')
+-- addACL('::/0')
+
+addLocal('0.0.0.0:53',{doTCP=true, reusePort=true, tcpFastOpenSize=0}) 
+addTLSLocal("0.0.0.0", "__SSL_CRT__", "__SSL_KEY__",{ doTCP=true, reusePort=true, tcpFastOpenSize=X })      
+-- path for certs and listen address for DoT ipv4 , by default listens on port 853. Set X(int) for tcp fast open queue size.
+-- addTLSLocal("[::]", "__SSL_CRT__", "__SSL_KEY__",{ doTCP=true, reusePort=true, tcpFastOpenSize=X })         
+-- path for certs and listen address for DoT ipv6 , by default listens on port 853. Set X(int) for tcp fast open queue size.
+
+
+
+addDOHLocal("0.0.0.0:443", "__SSL_CRT__", "__SSL_KEY__", "/", { doTCP=true, reusePort=true, tcpFastOpenSize=X })        
+addDOHLocal("[::]:443", "__SSL_CRT__", "__SSL_KEY__", "/", { doTCP=true, reusePort=true, tcpFastOpenSize=X })        
+-- path for certs and listen address for DoH. Set X(int) for tcp fast open queue size.
+
+addAction(MaxQPSIPRule(20), DropAction())    -- set X(int) number of queries to be allowed per second from a IP
+addAction(AndRule({QTypeRule(DNSQType.ANY), TCPRule(false)}), DropAction())  -- drop ANY queries sent over udp , not useful for DoT and DoH only servers.
+
+pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false}) 
+getPool(""):setCache(pc)              -- deafult cache
+setServerPolicy(leastOutstanding)       -- server policy to choose the downstream servers for recursion
+
+newServer({address="127.0.0.1:5335", name="unbound"})     -- downstream servers for recursion
+
+
+setMaxUDPOutstanding(65535)
+--setMaxTCPConnectionDuration(X)      -- set X(int) for tcp connection duaration from a connected client. X is number of seconds.
+setMaxTCPConnectionsPerClient(110)    -- set X(int) for number of tcp connections from a single client. Useful for rate limiting the concurrent connections.
+

roles/dnsdist/tasks/main.yml

@@ -0,0 +1,81 @@
+---
+- name: Install dnsdist
+  apt:
+    name: 
+      - dnsdist
+      - acl
+    state: present
+
+- name: Allow DoT connexions
+  ufw:
+    rule: allow
+    port: 853
+    proto: tcp
+
+- name: Allow DoH connexions
+  ufw:
+    rule: allow
+    port: 443
+    proto: tcp
+    
+- name: Allow DNS connexions
+  ufw: 
+    rule: allow
+    port: 53
+    proto: any
+
+- name: Copy Configuration file for DNSdist
+  ansible.builtin.copy:
+    src: dnsdist.conf
+    dest: /etc/dnsdist/dnsdist.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/ssl/{{ domain}}.crt'
+  when: installCertbot == false
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/ssl/{{ domain}}.key'
+  when: installCertbot == false
+
+- name: permission to ssl cert 
+  shell: |
+    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".key
+    setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".crt
+  when: installCertbot == false
+
+
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_CRT__'
+    replace: '/etc/letsencrypt/{{ domain}}/fullchain.pem'
+  when: installCertbot == true
+
+- name: Add SSL keys to dnsdist.conf
+  ansible.builtin.replace:
+    path: /etc/dnsdist/dnsdist.conf
+    regexp: '__SSL_KEY__'
+    replace: '/etc/letsencrypt/{{ domain}}/privkey.pem'
+  when: installCertbot == true
+
+- name: Set permission letsencrypt SSL keys 
+  shell: setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/
+  when: installCertbot == true
+
+- name: Start dnsdist service
+  shell: "systemctl start dnsdist"
+
+
+- name: Enable systemd service
+  shell: "systemctl enable dnsdist"

roles/mastodon/files/mastodon-clean

@@ -0,0 +1,17 @@
+#!/bin/bash -e
+
+cd /home/mastodon/live;
+export PATH="$HOME/.rbenv/bin:$PATH";
+eval "$(rbenv init -)";
+echo "Nettoyage du cache";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl cache clear;
+
+
+echo "Nettoyage du cache des médias consultés agé de plus de 5 jours";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl media remove --days 5;
+
+echo "Nettoyage du cache des prévisualisations agées de plus de 14 jours";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl preview_cards remove --days 14;
+
+echo "Nettoyage des médias orphelins";
+RAILS_ENV=production /home/mastodon/live/bin/tootctl media remove-orphans;

roles/unbound/files/resolver.conf

@@ -0,0 +1,10 @@
+server:
+        port: 5335
+        interface: 127.0.0.1
+        do-ip4: yes
+        do-ip6: yes
+        access-control: 127.0.0.1/8 allow
+        hide-identity: yes
+        prefetch: yes
+        prefetch-key: yes
+        auto-trust-anchor-file: "/var/lib/unbound/root.key"

roles/unbound/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+
+- name: install unbound DNS server
+  apt: 
+    name: unbound
+    state: present
+
+
+
+- name: Copy Configuration file for unbound
+  ansible.builtin.copy:
+    src: resolver.conf
+    dest: /etc/unbound/unbound.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+  
+- name: Enable and start unbound service
+  shell: |
+    systemctl enable unbound
+    systemctl restart unbound