ansible/playbooks/knotd.yml

415 lines
10 KiB
YAML
Raw Normal View History

2022-08-19 05:00:28 +02:00
#!/usr/bin/env ansible-playbook
---
- hosts: ns-master.int.infra.auro.re
vars:
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
ksk-infra:
algorithm: hmac-sha512
secret: "{{ vault_knotd_ksk_infra_key }}"
update-acme-challenge:
algorithm: hmac-sha512
secret: "{{ vault_certbot_dns_secret }}"
knotd__remotes:
xfr-ns-1:
address: 10.128.0.199
key: xfr
xfr-ns-2:
address: 10.128.0.109
key: xfr
ksk-infra:
address: ::1
key: ksk-infra
knotd__policies:
public:
algorithm: ECDSAP256SHA256
reproducible_signing: true
# Je n'ai pas trouvé de façon de pousser les records automatiquement
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
# KSK n'expire pas
ksk_lifetime: 0
zsk_lifetime: 30d
nsec3: true
infra:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-infra
cds-cdnskey-publish: rollover
ksk-submission: infra
ripe:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-ripe
cds-cdnskey-publish: rollover
ksk-submission: ripe
knotd__acl:
xfr:
addresses:
- 10.128.0.199
- 2a09:6840:128::199
- 10.128.0.109
- 2a09:6840:128::109
action: transfer
key: xfr
ksk-infra:
address:
- 127.0.0.1
- ::1
key: ksk-infra
action: update
update_types:
- DS
update_owner: name
update_owner_match: equal
update_owner_name:
- infra
update-acme-challenge:
key: update-acme-challenge
action: update
update_types:
- TXT
update_owner: name
update_owner_match: equal
update_owner_name:
- _acme-challenge.auro.re.
- _acme-challenge.mail.auro.re.
- _acme-challenge.smtp.auro.re.
- _acme-challenge.imap.auro.re.
- _acme-challenge.jitsi.auro.re.
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__soa_rname: root@auro.re.
# TODO: Netbox
knotd__hosts:
auro.re:
proxy-ovh:
- 92.222.211.195
horus:
- 92.23.218.136
ns-1:
- 45.66.111.30
- 2a09:6840:111::30
ns-2:
- 92.222.211.194
serge:
- 92.222.211.196
lama:
- 185.230.78.220
- 2a0c:700:12:0:67:e5ff:fee9:108
vpn-ovh:
- 92.222.211.197
passerelle:
- 45.66.111.254
- 2a09:6840:111::254
proxy:
- 45.66.111.61
- 2a09:6840:111::61
camelot:
- 45.66.111.59
- 2a09:6840:111::59
mail:
- 45.66.111.62
- 2a09:6840:111::62
galene:
- 45.66.111.65
- 2a09:6840:111::65
aclyas:
- 45.66.111.231
- 2a09:6840:111::231
jitsi:
- 45.66.111.55
- 2a09:6840:111::55
portail-fleming:
- 10.13.0.247
- 2a09:6840:13::247
portail-pacaterie:
- 10.23.0.247
- 2a09:6840:23::247
portail-rives:
- 10.33.0.247
- 2a09:6840:33::247
portail-edc:
- 10.43.0.247
- 2a09:6840:43::247
portail-gs:
- 10.53.0.247
- 2a09:6840:53::247
knotd__zones:
auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- update-acme-challenge
- ksk-infra
- xfr
soa:
mname: ns-master.int.infra
ns:
- target:
- ns-1
- ns-2
- name: infra
target:
- ns-1
- ns-2
- name: adm
target:
- serge
- lama
- name: ups
target:
- serge
- lama
- name: switch
target:
- serge
- lama
- name: borne
target:
- serge
- lama
mx:
- exchange: mail
preference: 5
- exchange: proxy-ovh
preference: 10
spf:
- data: v=spf1 mx -all
a:
- address: 92.222.211.195
cname:
- name:
- element
- riot
- auth
- rss
- codimd
- hedgedoc
- kanboard
- www
- pad
- privatebin
- zero
- paste
- hétérogénéité
target: proxy-ovh
- name:
- grafana
- netbox
- wiki
- matrix
- drone
- gitea
- re2o
- nextcloud
target: proxy
- name: intranet
target: re2o
- name:
- smtp
- imap
target: mail
hosts: "{{ knotd__hosts['auro.re'] }}"
infra.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
hosts:
services-1.ceph:
- 10.132.1.1
- "2a09:6840:132:1:1::"
services-2.ceph:
- 10.132.1.2
- "2a09:6840:132:1:2::"
services-3.ceph:
- 10.132.1.3
- "2a09:6840:132:1:3::"
ns-master.int:
- 10.128.0.110
- "2a09:6840:128:0::110"
ec-1.ups:
- 10.131.4.1
- 2a09:6840:131::4:1
ec-2.ups:
- 10.131.4.2
- 2a09:6840:131::4:2
108.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
109.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
110.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
111.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
ptr:
- name: "1"
target: x.auro.re.
- name: "2"
target: y.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['45.66.111.0/24'])
| add_origin_keys('auro.re.') }}"
4.8.6.9.0.a.2.ip6.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
#reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'},
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
#hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'},
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
#nb_dns__vlan_suffixes:
# external-services: ext.infra.auro.re.
# wifi-access-points: wifi.infra.auro.re.
# monitoring: monit.infra.auro.re.
# routers: rtr.infra.auro.re.
# services-ceph: ceph.infra.auro.re.
# ups: ups.infra.auro.re.
# switchs: sw.infra.auro.re.
# internal-services: int.infra.auro.re.
# bmc: bmc.infra.auro.re.
roles:
- knotd
- hosts:
- ns-1.auro.re
- ns-2.auro.re
vars:
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
knotd__remotes:
xfr-master:
address: 10.128.0.110
key: xfr
knotd__acl:
notify-master:
address:
- 10.128.0.110
- 2a09:6840:128::110
key: xfr
action: notify
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__zones:
auro.re:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
infra.auro.re:
dnssec_validation: false
acl:
- notify-master
#queryacl: local
master: xfr-master
108.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
109.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
110.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
111.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
4.8.6.9.0.a.2.ip6.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
roles:
- knotd
...