Add Consul DNS forwarding with dnsmasq

ansible/inventory/group_vars/prod.yml

@@ -35,6 +35,7 @@ consul_data_dir: "/opt/consul"
 consul_tls_dir: "{{ consul_data_dir }}/tls"
 consul_server_ip: "{{ server_ip }}"
 consul_ttl: "168h"
+consul_upstream_dns_address: ["192.168.86.49", "1.1.1.1"]
 setup_consul_watches: false
 
 # nomad

ansible/roles/consul/defaults/main.yml

@@ -3,6 +3,7 @@ consul_config_dir: "/etc/consul.d"
 consul_data_dir: "/opt/consul"
 consul_tls_dir: "{{ consul_data_dir }}/tls"
 consul_template_config_dir: "/etc/consul-template"
+consul_upstream_dns_address: ["1.1.1.1"]
 
 # server
 consul_server: true

ansible/roles/consul/tasks/dnsmasq.yml

@@ -0,0 +1,62 @@
+---
+- name: Install dnsmasq
+  apt:
+    name:
+      - dnsmasq
+    state: present
+
+- name: Remove resolvconf
+  apt:
+    name:
+      - resolvconf
+      - openresolv
+    state: absent
+
+- name: Allow ufw port 53
+  ufw:
+    rule: "allow"
+    port: 53
+
+- name: Disable systemd-resolved
+  systemd:
+    name: systemd-resolved
+    state: stopped
+    enabled: false
+
+- name: Write new /etc/resolv.conf
+  copy:
+    content: "nameserver 127.0.0.1"
+    dest: "/etc/resolv.conf"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy dnsmasq config
+  template:
+    src: "dnsmasq.conf.j2"
+    dest: "/etc/dnsmasq.conf"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy Consul dnsmasq forwarding config
+  copy:
+    content: |
+      server=/consul/127.0.0.1#8600
+      rev-server=10.0.0.0/8,127.0.0.1#8600
+    dest: "/etc/dnsmasq.d/10-consul"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Start dnsmasq
+  systemd:
+    name: dnsmasq
+    state: started
+    enabled: true
+
+- name: Wait for port 53
+  wait_for:
+    port: 53
+    host: "{{ ansible_default_ipv4.address }}"
+    state: started

ansible/roles/consul/tasks/main.yml

@@ -1,4 +1,9 @@
 ---
+- name: Setup dnsmasq
+  become: true
+  import_tasks: dnsmasq.yml
+  when: consul_server | bool
+
 - name: Check for both Consul server and client enabled
   fail:
     msg: "Cannot setup both Consul server and client on the same node."

ansible/roles/consul/templates/dnsmasq.conf.j2

@@ -0,0 +1,4 @@
+listen-address={{ ansible_default_ipv4.address }},127.0.0.1
+{% for addr in consul_upstream_dns_address %}
+server={{ addr }}
+{% endfor %}

ansible/roles/coredns/templates/Corefile.j2

@@ -12,7 +12,7 @@
 }
 
 consul:{{ coredns_dns_port }} {
-  forward . 10.10.10.110:8600
+  forward . 10.10.10.110
   log
   errors
 }

docs/src/ansible/roles/consul.md

@@ -24,6 +24,7 @@ For encryption, the role creates consul-template templates for:
 | consul_data_dir | Data directory | string | `/opt/consul` |
 | consul_tls_dir | TLS files directory | string | `${consul_data_dir}/tls` |
 | consul_template_config_dir | consul-template configuration file | string | `/etc/consul-template` |
+| consul_upstream_dns_address | List of upstream DNS servers for dnsmasq | `["1.1.1.1"]` |
 | consul_server | Start Consul in server mode | bool | `true` |
 | consul_bootstrap_expect | (server only) The expected number of servers in a cluster | number | `1` |
 | consul_client | Start Consul in client mode | bool | `false` |