Deploying K3s with Ansible - Part 6
Adding host overrides to OPNsense firewall
I use OPNsense as my firewall, DHCP, DNS server for my homelab. I’ve set an internal domain that I use so that when hosts pickup a DHCP address the hostname used in that exchange is added to the DNS records and it provided an FQDN. My Homelab however I want to use a different domain so there is where host overrides come in handy as a quick way to supply your internal DNS server with different domains without having to configure an entirely new system.
This can be done through the GUI of course, but since I am building the deployment automation with Ansible I might as well have a task for this as well. OPNsnse has an API, and also its own Ansible module, so check out these resources to learn more about OPNsense-API and OPNsense Ansible Module.
install-opnsense-host-overrides.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
- hosts: localhost
gather_facts: no
module_defaults:
group/ansibleguy.opnsense.all:
firewall: "{{ firewall_ip }}"
api_port: "{{ firewall_port }}"
api_key: "{{ opn_key }}"
api_secret: "{{ opn_secret }}"
ssl_verify: false
tasks:
- set_fact:
overrides:
- hostname: 'traefik'
- hostname: 'rancher'
- hostname: 'gitlab'
- hostname: 'registery'
- hostname: 'minio'
- hostname: 'kas'
- hostname: 'nautobot'
- name: Adding
ansibleguy.opnsense.unbound_host:
hostname: "{{ item.hostname }}"
domain: "{{ install_domain }}"
value: "{{ traefik_ip }}"
description: "k3s redirect"
reload: false
loop: "{{ overrides }}"
- name: Reloading
ansibleguy.opnsense.reload:
target: "unbound"
- Set the various required variables so that ansible can communicate with the firewall.
- Use set_fact to create a list of hostnames I want to override.
- Add the hostnames to the unbound DNS server on the firewall iterating through the overrides list.
- Reload the unbound service.
item.hostname is pulling from the overrides list from the set_fact. install_domain, and traefik_ip is set in the group_vars. Because we are using Traefik as our proxy we want to make sure that when going to traefik.example.com that unbound provides the IP of Traefik as the IP address. From there Traefik picks up the requested hostname in the headers and directs the inbound requests to the correct service inside the cluster.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ dig traefik.homelab.example.com
;; communications error to 127.0.0.53#53: timed out
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> traefik.homelab.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3956
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;traefik.homelab.example.com. IN A
;; ANSWER SECTION:
traefik.homelab.example.com. 3600 IN A 192.168.30.80
;; Query time: 4 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Mar 30 17:01:01 UTC 2024
;; MSG SIZE rcvd: 72