415 lines
10 KiB
YAML
415 lines
10 KiB
YAML
|
#!/usr/bin/env ansible-playbook
|
||
|
---
|
||
|
- hosts: ns-master.int.infra.auro.re
|
||
|
vars:
|
||
|
knotd__listen:
|
||
|
- address: 0.0.0.0
|
||
|
- address: "::"
|
||
|
knotd__keys:
|
||
|
xfr:
|
||
|
algorithm: hmac-sha512
|
||
|
secret: "{{ vault_knotd_xfr_key }}"
|
||
|
ksk-infra:
|
||
|
algorithm: hmac-sha512
|
||
|
secret: "{{ vault_knotd_ksk_infra_key }}"
|
||
|
update-acme-challenge:
|
||
|
algorithm: hmac-sha512
|
||
|
secret: "{{ vault_certbot_dns_secret }}"
|
||
|
knotd__remotes:
|
||
|
xfr-ns-1:
|
||
|
address: 10.128.0.199
|
||
|
key: xfr
|
||
|
xfr-ns-2:
|
||
|
address: 10.128.0.109
|
||
|
key: xfr
|
||
|
ksk-infra:
|
||
|
address: ::1
|
||
|
key: ksk-infra
|
||
|
knotd__policies:
|
||
|
public:
|
||
|
algorithm: ECDSAP256SHA256
|
||
|
reproducible_signing: true
|
||
|
# Je n'ai pas trouvé de façon de pousser les records automatiquement
|
||
|
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
|
||
|
# KSK n'expire pas
|
||
|
ksk_lifetime: 0
|
||
|
zsk_lifetime: 30d
|
||
|
nsec3: true
|
||
|
infra:
|
||
|
algorithm: ECDSAP256SHA256
|
||
|
ksk_lifetime: 365d
|
||
|
zsk_lifetime: 30d
|
||
|
nsec3: on
|
||
|
ds-push: ksk-infra
|
||
|
cds-cdnskey-publish: rollover
|
||
|
ksk-submission: infra
|
||
|
ripe:
|
||
|
algorithm: ECDSAP256SHA256
|
||
|
ksk_lifetime: 365d
|
||
|
zsk_lifetime: 30d
|
||
|
nsec3: on
|
||
|
ds-push: ksk-ripe
|
||
|
cds-cdnskey-publish: rollover
|
||
|
ksk-submission: ripe
|
||
|
knotd__acl:
|
||
|
xfr:
|
||
|
addresses:
|
||
|
- 10.128.0.199
|
||
|
- 2a09:6840:128::199
|
||
|
- 10.128.0.109
|
||
|
- 2a09:6840:128::109
|
||
|
action: transfer
|
||
|
key: xfr
|
||
|
ksk-infra:
|
||
|
address:
|
||
|
- 127.0.0.1
|
||
|
- ::1
|
||
|
key: ksk-infra
|
||
|
action: update
|
||
|
update_types:
|
||
|
- DS
|
||
|
update_owner: name
|
||
|
update_owner_match: equal
|
||
|
update_owner_name:
|
||
|
- infra
|
||
|
update-acme-challenge:
|
||
|
key: update-acme-challenge
|
||
|
action: update
|
||
|
update_types:
|
||
|
- TXT
|
||
|
update_owner: name
|
||
|
update_owner_match: equal
|
||
|
update_owner_name:
|
||
|
- _acme-challenge.auro.re.
|
||
|
- _acme-challenge.mail.auro.re.
|
||
|
- _acme-challenge.smtp.auro.re.
|
||
|
- _acme-challenge.imap.auro.re.
|
||
|
- _acme-challenge.jitsi.auro.re.
|
||
|
knotd__queryacl:
|
||
|
local:
|
||
|
addresses:
|
||
|
- 10.0.0.0/8
|
||
|
knotd__soa_rname: root@auro.re.
|
||
|
# TODO: Netbox
|
||
|
knotd__hosts:
|
||
|
auro.re:
|
||
|
proxy-ovh:
|
||
|
- 92.222.211.195
|
||
|
horus:
|
||
|
- 92.23.218.136
|
||
|
ns-1:
|
||
|
- 45.66.111.30
|
||
|
- 2a09:6840:111::30
|
||
|
ns-2:
|
||
|
- 92.222.211.194
|
||
|
serge:
|
||
|
- 92.222.211.196
|
||
|
lama:
|
||
|
- 185.230.78.220
|
||
|
- 2a0c:700:12:0:67:e5ff:fee9:108
|
||
|
vpn-ovh:
|
||
|
- 92.222.211.197
|
||
|
passerelle:
|
||
|
- 45.66.111.254
|
||
|
- 2a09:6840:111::254
|
||
|
proxy:
|
||
|
- 45.66.111.61
|
||
|
- 2a09:6840:111::61
|
||
|
camelot:
|
||
|
- 45.66.111.59
|
||
|
- 2a09:6840:111::59
|
||
|
mail:
|
||
|
- 45.66.111.62
|
||
|
- 2a09:6840:111::62
|
||
|
galene:
|
||
|
- 45.66.111.65
|
||
|
- 2a09:6840:111::65
|
||
|
aclyas:
|
||
|
- 45.66.111.231
|
||
|
- 2a09:6840:111::231
|
||
|
jitsi:
|
||
|
- 45.66.111.55
|
||
|
- 2a09:6840:111::55
|
||
|
portail-fleming:
|
||
|
- 10.13.0.247
|
||
|
- 2a09:6840:13::247
|
||
|
portail-pacaterie:
|
||
|
- 10.23.0.247
|
||
|
- 2a09:6840:23::247
|
||
|
portail-rives:
|
||
|
- 10.33.0.247
|
||
|
- 2a09:6840:33::247
|
||
|
portail-edc:
|
||
|
- 10.43.0.247
|
||
|
- 2a09:6840:43::247
|
||
|
portail-gs:
|
||
|
- 10.53.0.247
|
||
|
- 2a09:6840:53::247
|
||
|
knotd__zones:
|
||
|
auro.re:
|
||
|
dnssec_policy: public
|
||
|
notify:
|
||
|
- xfr-ns-1
|
||
|
- xfr-ns-2
|
||
|
acl:
|
||
|
- update-acme-challenge
|
||
|
- ksk-infra
|
||
|
- xfr
|
||
|
soa:
|
||
|
mname: ns-master.int.infra
|
||
|
ns:
|
||
|
- target:
|
||
|
- ns-1
|
||
|
- ns-2
|
||
|
- name: infra
|
||
|
target:
|
||
|
- ns-1
|
||
|
- ns-2
|
||
|
- name: adm
|
||
|
target:
|
||
|
- serge
|
||
|
- lama
|
||
|
- name: ups
|
||
|
target:
|
||
|
- serge
|
||
|
- lama
|
||
|
- name: switch
|
||
|
target:
|
||
|
- serge
|
||
|
- lama
|
||
|
- name: borne
|
||
|
target:
|
||
|
- serge
|
||
|
- lama
|
||
|
mx:
|
||
|
- exchange: mail
|
||
|
preference: 5
|
||
|
- exchange: proxy-ovh
|
||
|
preference: 10
|
||
|
spf:
|
||
|
- data: v=spf1 mx -all
|
||
|
a:
|
||
|
- address: 92.222.211.195
|
||
|
cname:
|
||
|
- name:
|
||
|
- element
|
||
|
- riot
|
||
|
- auth
|
||
|
- rss
|
||
|
- codimd
|
||
|
- hedgedoc
|
||
|
- kanboard
|
||
|
- www
|
||
|
- pad
|
||
|
- privatebin
|
||
|
- zero
|
||
|
- paste
|
||
|
- hétérogénéité
|
||
|
target: proxy-ovh
|
||
|
- name:
|
||
|
- grafana
|
||
|
- netbox
|
||
|
- wiki
|
||
|
- matrix
|
||
|
- drone
|
||
|
- gitea
|
||
|
- re2o
|
||
|
- nextcloud
|
||
|
target: proxy
|
||
|
- name: intranet
|
||
|
target: re2o
|
||
|
- name:
|
||
|
- smtp
|
||
|
- imap
|
||
|
target: mail
|
||
|
hosts: "{{ knotd__hosts['auro.re'] }}"
|
||
|
infra.auro.re:
|
||
|
dnssec_policy: infra
|
||
|
notify:
|
||
|
- xfr-ns-1
|
||
|
- xfr-ns-2
|
||
|
acl:
|
||
|
- xfr
|
||
|
#queryacl: local
|
||
|
soa:
|
||
|
mname: ns-master.int
|
||
|
ns:
|
||
|
- target:
|
||
|
- ns-1.auro.re.
|
||
|
- ns-2.auro.re.
|
||
|
hosts:
|
||
|
services-1.ceph:
|
||
|
- 10.132.1.1
|
||
|
- "2a09:6840:132:1:1::"
|
||
|
services-2.ceph:
|
||
|
- 10.132.1.2
|
||
|
- "2a09:6840:132:1:2::"
|
||
|
services-3.ceph:
|
||
|
- 10.132.1.3
|
||
|
- "2a09:6840:132:1:3::"
|
||
|
ns-master.int:
|
||
|
- 10.128.0.110
|
||
|
- "2a09:6840:128:0::110"
|
||
|
ec-1.ups:
|
||
|
- 10.131.4.1
|
||
|
- 2a09:6840:131::4:1
|
||
|
ec-2.ups:
|
||
|
- 10.131.4.2
|
||
|
- 2a09:6840:131::4:2
|
||
|
108.66.45.in-addr.arpa:
|
||
|
dnssec_policy: ripe
|
||
|
notify:
|
||
|
- xfr-ns-1
|
||
|
- xfr-ns-2
|
||
|
acl:
|
||
|
- xfr
|
||
|
soa:
|
||
|
mname: ns-master.int.infra.auro.re.
|
||
|
ns:
|
||
|
- target:
|
||
|
- ns-1.auro.re.
|
||
|
- ns-2.auro.re.
|
||
|
109.66.45.in-addr.arpa:
|
||
|
dnssec_policy: ripe
|
||
|
notify:
|
||
|
- xfr-ns-1
|
||
|
- xfr-ns-2
|
||
|
acl:
|
||
|
- xfr
|
||
|
soa:
|
||
|
mname: ns-master.int.infra.auro.re.
|
||
|
ns:
|
||
|
- target:
|
||
|
- ns-1.auro.re.
|
||
|
- ns-2.auro.re.
|
||
|
110.66.45.in-addr.arpa:
|
||
|
dnssec_policy: ripe
|
||
|
notify:
|
||
|
- xfr-ns-1
|
||
|
- xfr-ns-2
|
||
|
acl:
|
||
|
- xfr
|
||
|
soa:
|
||
|
mname: ns-master.int.infra.auro.re.
|
||
|
ns:
|
||
|
- target:
|
||
|
- ns-1.auro.re.
|
||
|
- ns-2.auro.re.
|
||
|
111.66.45.in-addr.arpa:
|
||
|
dnssec_policy: ripe
|
||
|
notify:
|
||
|
- xfr-ns-1
|
||
|
- xfr-ns-2
|
||
|
acl:
|
||
|
- xfr
|
||
|
soa:
|
||
|
mname: ns-master.int.infra.auro.re.
|
||
|
ns:
|
||
|
- target:
|
||
|
- ns-1.auro.re.
|
||
|
- ns-2.auro.re.
|
||
|
ptr:
|
||
|
- name: "1"
|
||
|
target: x.auro.re.
|
||
|
- name: "2"
|
||
|
target: y.auro.re.
|
||
|
reverse_hosts: "{{ knotd__hosts['auro.re']
|
||
|
| ip_filter(['45.66.111.0/24'])
|
||
|
| add_origin_keys('auro.re.') }}"
|
||
|
4.8.6.9.0.a.2.ip6.arpa:
|
||
|
dnssec_policy: ripe
|
||
|
notify:
|
||
|
- xfr-ns-1
|
||
|
- xfr-ns-2
|
||
|
acl:
|
||
|
- xfr
|
||
|
soa:
|
||
|
mname: ns-master.int.infra.auro.re.
|
||
|
ns:
|
||
|
- target:
|
||
|
- ns-1.auro.re.
|
||
|
- ns-2.auro.re.
|
||
|
#reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'},
|
||
|
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
|
||
|
#hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'},
|
||
|
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
|
||
|
#nb_dns__vlan_suffixes:
|
||
|
# external-services: ext.infra.auro.re.
|
||
|
# wifi-access-points: wifi.infra.auro.re.
|
||
|
# monitoring: monit.infra.auro.re.
|
||
|
# routers: rtr.infra.auro.re.
|
||
|
# services-ceph: ceph.infra.auro.re.
|
||
|
# ups: ups.infra.auro.re.
|
||
|
# switchs: sw.infra.auro.re.
|
||
|
# internal-services: int.infra.auro.re.
|
||
|
# bmc: bmc.infra.auro.re.
|
||
|
roles:
|
||
|
- knotd
|
||
|
|
||
|
- hosts:
|
||
|
- ns-1.auro.re
|
||
|
- ns-2.auro.re
|
||
|
vars:
|
||
|
knotd__listen:
|
||
|
- address: 0.0.0.0
|
||
|
- address: "::"
|
||
|
knotd__keys:
|
||
|
xfr:
|
||
|
algorithm: hmac-sha512
|
||
|
secret: "{{ vault_knotd_xfr_key }}"
|
||
|
knotd__remotes:
|
||
|
xfr-master:
|
||
|
address: 10.128.0.110
|
||
|
key: xfr
|
||
|
knotd__acl:
|
||
|
notify-master:
|
||
|
address:
|
||
|
- 10.128.0.110
|
||
|
- 2a09:6840:128::110
|
||
|
key: xfr
|
||
|
action: notify
|
||
|
knotd__queryacl:
|
||
|
local:
|
||
|
addresses:
|
||
|
- 10.0.0.0/8
|
||
|
knotd__zones:
|
||
|
auro.re:
|
||
|
dnssec_validation: false
|
||
|
acl:
|
||
|
- notify-master
|
||
|
master: xfr-master
|
||
|
infra.auro.re:
|
||
|
dnssec_validation: false
|
||
|
acl:
|
||
|
- notify-master
|
||
|
#queryacl: local
|
||
|
master: xfr-master
|
||
|
108.66.45.in-addr.arpa:
|
||
|
dnssec_validation: false
|
||
|
acl:
|
||
|
- notify-master
|
||
|
master: xfr-master
|
||
|
109.66.45.in-addr.arpa:
|
||
|
dnssec_validation: false
|
||
|
acl:
|
||
|
- notify-master
|
||
|
master: xfr-master
|
||
|
110.66.45.in-addr.arpa:
|
||
|
dnssec_validation: false
|
||
|
acl:
|
||
|
- notify-master
|
||
|
master: xfr-master
|
||
|
111.66.45.in-addr.arpa:
|
||
|
dnssec_validation: false
|
||
|
acl:
|
||
|
- notify-master
|
||
|
master: xfr-master
|
||
|
4.8.6.9.0.a.2.ip6.arpa:
|
||
|
dnssec_validation: false
|
||
|
acl:
|
||
|
- notify-master
|
||
|
master: xfr-master
|
||
|
roles:
|
||
|
- knotd
|
||
|
...
|