Enable NTP role

roles/mesh-vpn-fastd/tasks/fastd.yml

@@ -30,5 +30,6 @@
   with_items: "{{fastd_instances}}"
   notify: Restart fastd
 
-- name: Autostart fastd
-  service: name=fastd enabled=yes state=started
+- name: Ensure fastd is enabled
+  service: name=fastd enabled=yes
+  notify: Restart fastd

roles/service-dns/defaults/main.yml

@@ -1,7 +0,0 @@
----
-# defaults file for ff-dns
-
-ffruhr_update_server: 2a03:2260:50:1::14
-ffruhr_dns_servers:
-- 85.14.255.33
-- 151.80.64.190

roles/service-dns/handlers/main.yml

@@ -1,5 +1,4 @@
 ---
-# handlers file for ff-dns
 
 - name: Restart unbound
   service: name=unbound state=restarted

roles/service-dns/tasks/main.yml

@@ -1,21 +1,12 @@
 ---
-# tasks file for ff-dns
 
 - name: Ensure unbound is installed
-  apt: name=unbound state=present update_cache=yes cache_valid_time=3600
+  apt: name=unbound
 
-- name: Ensure unbound config already exists
-  file: dest=/etc/unbound/unbound.conf.d state=directory recurse=yes
+- name: Install unbound configuration
+  template: src=unbound.conf.j2 dest=/etc/unbound/unbound.conf.d/supernode.conf
+  notify: Restart unbound
 
-- name: Install unbound configs
-  template: src={{item.src}} dest={{item.dest}}
-  with_items:
-  - src: unbound.conf.j2
-    dest: /etc/unbound/unbound.conf
-  - src: unbound-supernode.conf.j2
-    dest: /etc/unbound/unbound.conf.d/supernode.conf
-  notify:
-  - Restart unbound
-
-- name: Ensure unbound is started and enabled
-  service: name=unbound state=started enabled=yes
+- name: Ensure unbound is enabled
+  service: name=unbound enabled=yes
+  notify: Restart unbound

roles/service-dns/templates/unbound-supernode.conf.j2

@@ -1,29 +0,0 @@
-server:
-  # Disables DNSSEC
-  module-config: "iterator"
-  interface: 0.0.0.0
-  interface: ::0
-{% if mesh_ipv4 is defined %}
-  access-control: {{mesh_ipv4|ipaddr('network')}} allow
-{% endif %}
-{% if mesh_ipv6 is defined %}
-  access-control: {{mesh_ipv6|ipaddr('network')}} allow
-{% endif %}
-  access-control: fe80::/10 allow
-
-local-zone: "services.ffdo.de." static
-{% for host in groups['supernodes'] %}
-{% if hostvars[host].mesh_ipv4 is defined %}
-local-data: "{{loop.index}}.ntp.services.ffdo.de. A {{hostvars[host].mesh_ipv4|ipaddr('address')}}"
-{% endif %}
-{% if hostvars[host].mesh_ipv6 is defined %}
-local-data: "{{loop.index}}.ntp.services.ffdo.de. AAAA {{hostvars[host].mesh_ipv6|ipaddr('address')}}"
-{% endif %}
-{% endfor %}
-local-data: "update.services.ffdo.de. AAAA {{ffruhr_update_server}}"
-
-forward-zone:
-  name: .
-{% for dns in ffruhr_dns_servers %}
-  forward-addr: {{dns}}
-{% endfor %}

roles/service-dns/templates/unbound.conf.j2

@@ -1,10 +1,25 @@
-# Unbound configuration file for Debian.
-#
-# See the unbound.conf(5) man page.
-#
-# See /usr/share/doc/unbound/examples/unbound.conf for a commented
-# reference config file.
-#
-# The following line includes additional configuration files from the
-# /etc/unbound/unbound.conf.d directory.
-include: "/etc/unbound/unbound.conf.d/*.conf"
+server:
+	# Disables DNSSEC
+	module-config: "iterator"
+	interface: 0.0.0.0
+	interface: ::0
+	access-control: {{ipv4_network}} allow
+	access-control: {{ipv6_network}} allow
+	access-control: fe80::/10 allow
+
+local-zone: "services.ffdo.de." static
+{% for host in groups['supernodes'] %}
+local-data: "{{loop.index}}.ntp.services.ffdo.de. A {{hostvars[host].mesh_ipv4|ipaddr('address')}}"
+local-data: "{{loop.index}}.ntp.services.ffdo.de. AAAA {{hostvars[host].mesh_ipv6|ipaddr('address')}}"
+{% endfor %}
+{% for host in groups['supernodes'] %}
+local-data: "ntp.services.ffdo.de. A {{hostvars[host].mesh_ipv4|ipaddr('address')}}"
+local-data: "ntp.services.ffdo.de. AAAA {{hostvars[host].mesh_ipv6|ipaddr('address')}}"
+{% endfor %}
+local-data: "update.services.ffdo.de. AAAA {{update_server}}"
+
+forward-zone:
+	name: .
+{% for forwarder in forwarders %}
+	forward-addr: {{forwarder}}
+{% endfor %}

roles/service-ntp/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+
+- name: Restart ntpd
+  service: name=ntp state=restarted

roles/service-ntp/tasks/main.yml

@@ -1,10 +1,8 @@
 ---
 
-- name: Make sure necessary tools are installed
-  apt: name={{item}} state=present update_cache=yes cache_valid_time=3600
-  with_items:
-  - ntp
+- name: Ensure ntp is installed
+  apt: name=ntp
 
 - name: Install ntp.conf
   template: src=ntp.conf.j2 dest=/etc/ntp.conf
-
+  notify: Restart ntpd

roles/service-ntp/templates/ntp.conf.j2

@@ -53,9 +53,9 @@ restrict 127.0.0.1
 restrict ::1
 
 # allow from ff-do-subnets
-restrict {{mesh_ipv4|ipaddr('network')}} mask {{mesh_ipv4|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
+restrict {{ipv4_network|ipaddr('network')}} mask {{ipv4_network|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
 {% if mesh_ipv6 is defined %}
-restrict {{mesh_ipv6|ipaddr('network')}} mask {{mesh_ipv6|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
+restrict {{ipv6_network|ipaddr('network')}} mask {{ipv6_network|ipaddr('netmask')}} kod notrap nomodify nopeer noquery
 {% endif %}
 
 # Clients from this (example!) subnet have unlimited access, but only if

site.yml

@@ -14,8 +14,8 @@
     - mesh-vpn-fastd
 #     - gateway-peering
 #     - gateway-nat
-#     - service-dns
-#     - service-ntp
+    - service-dns
+    - service-ntp
 #     - service-ra
 #     - service-dhcp