From b34c232904222333d809abbdd551e7a3f0c19d47 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 05:00:28 +0200 Subject: [PATCH] playbooks: WIP: add knotd playbook --- playbooks/knotd.yml | 414 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 414 insertions(+) create mode 100755 playbooks/knotd.yml diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml new file mode 100755 index 0000000..e28f686 --- /dev/null +++ b/playbooks/knotd.yml @@ -0,0 +1,414 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: ns-master.int.infra.auro.re + vars: + knotd__listen: + - address: 0.0.0.0 + - address: "::" + knotd__keys: + xfr: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_xfr_key }}" + ksk-infra: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_ksk_infra_key }}" + update-acme-challenge: + algorithm: hmac-sha512 + secret: "{{ vault_certbot_dns_secret }}" + knotd__remotes: + xfr-ns-1: + address: 10.128.0.199 + key: xfr + xfr-ns-2: + address: 10.128.0.109 + key: xfr + ksk-infra: + address: ::1 + key: ksk-infra + knotd__policies: + public: + algorithm: ECDSAP256SHA256 + reproducible_signing: true + # Je n'ai pas trouvé de façon de pousser les records automatiquement + # sur .re, donc pour éviter d'oublier de le faire manuellement, la + # KSK n'expire pas + ksk_lifetime: 0 + zsk_lifetime: 30d + nsec3: true + infra: + algorithm: ECDSAP256SHA256 + ksk_lifetime: 365d + zsk_lifetime: 30d + nsec3: on + ds-push: ksk-infra + cds-cdnskey-publish: rollover + ksk-submission: infra + ripe: + algorithm: ECDSAP256SHA256 + ksk_lifetime: 365d + zsk_lifetime: 30d + nsec3: on + ds-push: ksk-ripe + cds-cdnskey-publish: rollover + ksk-submission: ripe + knotd__acl: + xfr: + addresses: + - 10.128.0.199 + - 2a09:6840:128::199 + - 10.128.0.109 + - 2a09:6840:128::109 + action: transfer + key: xfr + ksk-infra: + address: + - 127.0.0.1 + - ::1 + key: ksk-infra + action: update + update_types: + - DS + update_owner: name + update_owner_match: equal + update_owner_name: + - infra + update-acme-challenge: + key: update-acme-challenge + action: update + update_types: + - TXT + update_owner: name + update_owner_match: equal + update_owner_name: + - _acme-challenge.auro.re. + - _acme-challenge.mail.auro.re. + - _acme-challenge.smtp.auro.re. + - _acme-challenge.imap.auro.re. + - _acme-challenge.jitsi.auro.re. + knotd__queryacl: + local: + addresses: + - 10.0.0.0/8 + knotd__soa_rname: root@auro.re. + # TODO: Netbox + knotd__hosts: + auro.re: + proxy-ovh: + - 92.222.211.195 + horus: + - 92.23.218.136 + ns-1: + - 45.66.111.30 + - 2a09:6840:111::30 + ns-2: + - 92.222.211.194 + serge: + - 92.222.211.196 + lama: + - 185.230.78.220 + - 2a0c:700:12:0:67:e5ff:fee9:108 + vpn-ovh: + - 92.222.211.197 + passerelle: + - 45.66.111.254 + - 2a09:6840:111::254 + proxy: + - 45.66.111.61 + - 2a09:6840:111::61 + camelot: + - 45.66.111.59 + - 2a09:6840:111::59 + mail: + - 45.66.111.62 + - 2a09:6840:111::62 + galene: + - 45.66.111.65 + - 2a09:6840:111::65 + aclyas: + - 45.66.111.231 + - 2a09:6840:111::231 + jitsi: + - 45.66.111.55 + - 2a09:6840:111::55 + portail-fleming: + - 10.13.0.247 + - 2a09:6840:13::247 + portail-pacaterie: + - 10.23.0.247 + - 2a09:6840:23::247 + portail-rives: + - 10.33.0.247 + - 2a09:6840:33::247 + portail-edc: + - 10.43.0.247 + - 2a09:6840:43::247 + portail-gs: + - 10.53.0.247 + - 2a09:6840:53::247 + knotd__zones: + auro.re: + dnssec_policy: public + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - update-acme-challenge + - ksk-infra + - xfr + soa: + mname: ns-master.int.infra + ns: + - target: + - ns-1 + - ns-2 + - name: infra + target: + - ns-1 + - ns-2 + - name: adm + target: + - serge + - lama + - name: ups + target: + - serge + - lama + - name: switch + target: + - serge + - lama + - name: borne + target: + - serge + - lama + mx: + - exchange: mail + preference: 5 + - exchange: proxy-ovh + preference: 10 + spf: + - data: v=spf1 mx -all + a: + - address: 92.222.211.195 + cname: + - name: + - element + - riot + - auth + - rss + - codimd + - hedgedoc + - kanboard + - www + - pad + - privatebin + - zero + - paste + - hétérogénéité + target: proxy-ovh + - name: + - grafana + - netbox + - wiki + - matrix + - drone + - gitea + - re2o + - nextcloud + target: proxy + - name: intranet + target: re2o + - name: + - smtp + - imap + target: mail + hosts: "{{ knotd__hosts['auro.re'] }}" + infra.auro.re: + dnssec_policy: infra + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + #queryacl: local + soa: + mname: ns-master.int + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + hosts: + services-1.ceph: + - 10.132.1.1 + - "2a09:6840:132:1:1::" + services-2.ceph: + - 10.132.1.2 + - "2a09:6840:132:1:2::" + services-3.ceph: + - 10.132.1.3 + - "2a09:6840:132:1:3::" + ns-master.int: + - 10.128.0.110 + - "2a09:6840:128:0::110" + ec-1.ups: + - 10.131.4.1 + - 2a09:6840:131::4:1 + ec-2.ups: + - 10.131.4.2 + - 2a09:6840:131::4:2 + 108.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + 109.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + 110.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + 111.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + ptr: + - name: "1" + target: x.auro.re. + - name: "2" + target: y.auro.re. + reverse_hosts: "{{ knotd__hosts['auro.re'] + | ip_filter(['45.66.111.0/24']) + | add_origin_keys('auro.re.') }}" + 4.8.6.9.0.a.2.ip6.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + #reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'}, + # vlan_suffixes=nb__dns_vlan_suffixes) }}" + #hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'}, + # vlan_suffixes=nb__dns_vlan_suffixes) }}" + #nb_dns__vlan_suffixes: + # external-services: ext.infra.auro.re. + # wifi-access-points: wifi.infra.auro.re. + # monitoring: monit.infra.auro.re. + # routers: rtr.infra.auro.re. + # services-ceph: ceph.infra.auro.re. + # ups: ups.infra.auro.re. + # switchs: sw.infra.auro.re. + # internal-services: int.infra.auro.re. + # bmc: bmc.infra.auro.re. + roles: + - knotd + +- hosts: + - ns-1.auro.re + - ns-2.auro.re + vars: + knotd__listen: + - address: 0.0.0.0 + - address: "::" + knotd__keys: + xfr: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_xfr_key }}" + knotd__remotes: + xfr-master: + address: 10.128.0.110 + key: xfr + knotd__acl: + notify-master: + address: + - 10.128.0.110 + - 2a09:6840:128::110 + key: xfr + action: notify + knotd__queryacl: + local: + addresses: + - 10.0.0.0/8 + knotd__zones: + auro.re: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + infra.auro.re: + dnssec_validation: false + acl: + - notify-master + #queryacl: local + master: xfr-master + 108.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 109.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 110.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 111.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 4.8.6.9.0.a.2.ip6.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + roles: + - knotd +...