From c97dca8fa840618a590976803f5f30a52055accf Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 16 Aug 2022 20:13:25 +0200 Subject: [PATCH 01/44] Add library/dns_zone.py --- library/dns_zone.py | 249 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 249 insertions(+) create mode 100755 library/dns_zone.py diff --git a/library/dns_zone.py b/library/dns_zone.py new file mode 100755 index 0000000..033eff2 --- /dev/null +++ b/library/dns_zone.py @@ -0,0 +1,249 @@ +#!/usr/bin/env python3 +import itertools +import dataclasses + +from typing import Any + +import dns +import dns.serial +import dns.zone +import dns.rdata +import dns.rdataclass +import dns.rdatatype +import dns.rdtypes.IN.A +import dns.rdtypes.IN.AAAA +import dns.rdtypes.ANY.MX +import dns.rdtypes.ANY.SOA +import dns.rdtypes.ANY.NS +import dns.rdtypes.ANY.TXT + +from ansible.module_utils.basic import AnsibleModule + + +class RName(dns.name.Name): + def __init__(self, address): + try: + local, domain = address.split("@") + except ValueError: + raise ValueError( + "Invalid e-mail address format: {}".format(address) + ) + super().__init__((local,) + dns.name.from_text(domain).labels) + + +@dataclasses.dataclass +class A: + address: str + name: dns.name.Name = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.IN.A.A( + dns.rdataclass.IN.IN, dns.rdatatype.A, self.address + ) + + +@dataclasses.dataclass +class AAAA: + address: str + name: dns.name.Name = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.IN.AAAA.AAAA( + dns.rdataclass.IN.IN, dns.rdatatype.AAAA, self.address + ) + + +@dataclasses.dataclass +class CNAME: + address: dns.name.Name + name: dns.name.Name = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.ANY.CNAME.CNAME( + dns.rdataclass.IN.IN, dns.rdatatype.CNAME, self.address + ) + + +@dataclasses.dataclass +class MX: + exchange: dns.name.Name + name: dns.name.Name = dns.name.empty + priority: int = 10 + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.ANY.MX.MX( + dns.rdataclass.IN.IN, + dns.rdatatype.MX, + self.priority, + self.exchange, + ) + + +@dataclasses.dataclass +class NS: + address: dns.name.Name + name: dns.name.Name = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.ANY.NS.NS( + dns.rdataclass.IN.IN, dns.rdatatype.NS, self.address + ) + + +@dataclasses.dataclass +class TXT: + data: str + name: dns.name.Name = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.ANY.TXT.TXT( + dns.rdataclass.IN.IN, dns.rdatatype.TXT, self.data + ) + + +@dataclasses.dataclass +class SOA: + mname: dns.name.Name + rname: RName + refresh: int + retry: int + expire: int + ttl: int + serial: int = 1 + name: dns.name.Name = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.ANY.SOA.SOA( + dns.rdataclass.IN.IN, + dns.rdatatype.SOA, + self.mname, + self.rname, + self.serial, + self.refresh, + self.retry, + self.expire, + self.ttl, + ) + + +def spec_option_of_field(field): + types = { + str: "str", + dns.name.Name: "str", + RName: "str", + int: "int", + } + return { + "type": types[field.type], + "required": field.default is dataclasses.MISSING, + } + + +def spec_options_of_type(ty): + return { + field.name: spec_option_of_field(field) + for field in dataclasses.fields(ty) + } + + +def coerce_dns_name(value: Any) -> dns.name.Name: + if not isinstance(value, dns.name.Name): + return dns.name.from_text(value, origin=dns.name.empty) + return value + + +def make_record(args, ty): + # TODO: Ça n'est pas du tout élégant, mais : + # 1. je n'ai pas réussi à spécifier dans `argument_spec` un type tiers + # 2. Ansible positionne à `None` les entrées non passées à la tâche et + # ce comportement ne semble pas modifiable + types = {f.name: f.type for f in dataclasses.fields(ty)} + coercers = { + dns.name.Name: coerce_dns_name, + RName: RName, + } + + def coerce(name, value): + if types[name] not in coercers: + return value + return coercers[types[name]](value) + + clean_args = { + name: coerce(name, value) + for name, value in args.items() + if value is not None + } + + return ty(**clean_args) + + +def zones_eq(a: dns.zone.Zone, b: dns.zone.Zone) -> bool: + return a.to_text(relativize=False) == b.to_text(relativize=False) + + +def main() -> int: + + record_types = { + "ns": NS, + "txt": TXT, + "a": A, + "aaaa": AAAA, + "mx": MX, + } + + module_args = { + "path": {"type": "path", "required": True}, + "origin": {"type": "str", "required": True}, + "soa": { + "type": "dict", + "required": True, + "options": spec_options_of_type(SOA), + }, + } + + for name, ty in record_types.items(): + module_args[name] = { + "type": "list", + "default": [], + "elements": "dict", + "options": spec_options_of_type(ty), + } + + module = AnsibleModule(argument_spec=module_args) + + origin = dns.name.from_text(module.params["origin"]) + path = module.params["path"] + + zone = dns.zone.Zone(origin) + + try: + current = dns.zone.from_file(path, origin=origin) + except: + current = None + + records = [make_record(module.params["soa"], SOA)] + + records.extend( + itertools.chain.from_iterable( + (make_record(args, ty) for args in module.params[name]) + for name, ty in record_types.items() + ) + ) + + for record in records: + node = zone.get_node(record.name, create=True) + rdata = record.rdata() + dataset = node.get_rdataset(rdata.rdclass, rdata.rdtype, create=True) + dataset.add(rdata) + + changed = current is None or not zones_eq(zone, current) + if changed: + zone.to_file(path, relativize=False) + + module.exit_json(changed=changed) + + return 0 + + +if __name__ == "__main__": + exit(main()) -- 2.45.2 From 4dbe0e562de0175ab6d47bd0d28f05ca72e757ab Mon Sep 17 00:00:00 2001 From: Jeltz Date: Wed, 17 Aug 2022 18:23:47 +0200 Subject: [PATCH 02/44] dns_zone: cleanup + hosts + product --- library/dns_zone.py | 160 +++++++++++++++++++++++++++++++++----------- 1 file changed, 120 insertions(+), 40 deletions(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index 033eff2..825a0d7 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -1,26 +1,30 @@ #!/usr/bin/env python3 -import itertools import dataclasses - -from typing import Any +import ipaddress +import itertools +import sys +import typing +from typing import Annotated, Any import dns -import dns.serial -import dns.zone import dns.rdata import dns.rdataclass import dns.rdatatype +import dns.rdtypes.ANY.CNAME +import dns.rdtypes.ANY.MX +import dns.rdtypes.ANY.NS +import dns.rdtypes.ANY.SOA +import dns.rdtypes.ANY.TXT import dns.rdtypes.IN.A import dns.rdtypes.IN.AAAA -import dns.rdtypes.ANY.MX -import dns.rdtypes.ANY.SOA -import dns.rdtypes.ANY.NS -import dns.rdtypes.ANY.TXT - +import dns.serial +import dns.zone from ansible.module_utils.basic import AnsibleModule class RName(dns.name.Name): + """Domain name used to represent an e-mail address (see RFC 1035).""" + def __init__(self, address): try: local, domain = address.split("@") @@ -31,10 +35,18 @@ class RName(dns.name.Name): super().__init__((local,) + dns.name.from_text(domain).labels) +class MultiRecords: + """Annotation used to indicate that a field can be filled in more than + once via a list, and that this will create as many records as values. + """ + + ... + + @dataclasses.dataclass class A: address: str - name: dns.name.Name = dns.name.empty + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.IN.A.A( @@ -45,7 +57,7 @@ class A: @dataclasses.dataclass class AAAA: address: str - name: dns.name.Name = dns.name.empty + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.IN.AAAA.AAAA( @@ -56,7 +68,7 @@ class AAAA: @dataclasses.dataclass class CNAME: address: dns.name.Name - name: dns.name.Name = dns.name.empty + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.ANY.CNAME.CNAME( @@ -66,8 +78,8 @@ class CNAME: @dataclasses.dataclass class MX: - exchange: dns.name.Name - name: dns.name.Name = dns.name.empty + exchange: Annotated[dns.name.Name, MultiRecords] + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty priority: int = 10 def rdata(self) -> dns.rdata.Rdata: @@ -81,8 +93,8 @@ class MX: @dataclasses.dataclass class NS: - address: dns.name.Name - name: dns.name.Name = dns.name.empty + address: Annotated[dns.name.Name, MultiRecords] + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.ANY.NS.NS( @@ -93,7 +105,7 @@ class NS: @dataclasses.dataclass class TXT: data: str - name: dns.name.Name = dns.name.empty + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.ANY.TXT.TXT( @@ -110,7 +122,7 @@ class SOA: expire: int ttl: int serial: int = 1 - name: dns.name.Name = dns.name.empty + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.ANY.SOA.SOA( @@ -126,6 +138,25 @@ class SOA: ) +def has_annotation(ty, annotation): + """Is the type `ty` annotated with a given `annotation`.""" + return ( + typing.get_origin(ty) == typing.Annotated + and annotation in typing.get_args(ty)[1:] + ) + + +def annotated_origin(ty): + """Returns the origin of an annotated type `ty`.""" + assert typing.get_origin(ty) == typing.Annotated + return typing.get_args(ty)[0] + + +def is_multi_records(ty): + """Is the type `ty` annotated with `MultiRecords`.""" + return has_annotation(ty, MultiRecords) + + def spec_option_of_field(field): types = { str: "str", @@ -133,13 +164,20 @@ def spec_option_of_field(field): RName: "str", int: "int", } - return { - "type": types[field.type], - "required": field.default is dataclasses.MISSING, - } + if is_multi_records(field.type): + option = { + "type": "list", + "elements": types[annotated_origin(field.type)], + } + else: + option = {"type": types[field.type]} + option["required"] = field.default is dataclasses.MISSING + return option def spec_options_of_type(ty): + """Convert a `dataclass` type to Ansible `argument_spec` `options`' + format.""" return { field.name: spec_option_of_field(field) for field in dataclasses.fields(ty) @@ -147,12 +185,32 @@ def spec_options_of_type(ty): def coerce_dns_name(value: Any) -> dns.name.Name: + """Try to convert a `value` to `dns.name.Name`.""" if not isinstance(value, dns.name.Name): return dns.name.from_text(value, origin=dns.name.empty) return value -def make_record(args, ty): +def product_dict(dct, keys=None): + """Compute the "cartesian product" of a dictionnary `dct` + w.r.t some `keys` (if `keys` is None, then the product is computed + on all the keys).""" + if keys is None: + keys = dct.keys() + wrapped = {k: v if k in keys else [v] for k, v in dct.items()} + for values in itertools.product(*wrapped.values()): + yield dict(zip(wrapped.keys(), values)) + + +def make_hosts_records(hosts): + for host, addrs in hosts.items(): + for addr in addrs: + name = dns.name.from_text(host, origin=dns.name.empty) + decoded = ipaddress.ip_address(addr) + yield AAAA(addr, name) if decoded.version == 6 else A(addr, name) + + +def make_records(args, ty): # TODO: Ça n'est pas du tout élégant, mais : # 1. je n'ai pas réussi à spécifier dans `argument_spec` un type tiers # 2. Ansible positionne à `None` les entrées non passées à la tâche et @@ -163,10 +221,16 @@ def make_record(args, ty): RName: RName, } + def coerce_single(value, ty): + if ty in coercers: + return coercers[ty](value) + return value + def coerce(name, value): - if types[name] not in coercers: - return value - return coercers[types[name]](value) + if is_multi_records(types[name]): + origin = annotated_origin(types[name]) + return [coerce_single(v, origin) for v in value] + return coerce_single(value, types[name]) clean_args = { name: coerce(name, value) @@ -174,11 +238,16 @@ def make_record(args, ty): if value is not None } - return ty(**clean_args) + multi_keys = (k for k, v in types.items() if is_multi_records(v)) + + for single_args in product_dict(clean_args, multi_keys): + yield ty(**single_args) -def zones_eq(a: dns.zone.Zone, b: dns.zone.Zone) -> bool: - return a.to_text(relativize=False) == b.to_text(relativize=False) +def zones_eq(lhs: dns.zone.Zone, rhs: dns.zone.Zone) -> bool: + """Returns a `bool` indicating whether two `dns.zone.Zone`s are equal + w.r.t. their text representation.""" + return lhs.to_text(relativize=False) == rhs.to_text(relativize=False) def main() -> int: @@ -188,17 +257,19 @@ def main() -> int: "txt": TXT, "a": A, "aaaa": AAAA, + "cname": CNAME, "mx": MX, } module_args = { - "path": {"type": "path", "required": True}, + "path": {"type": "str", "required": True}, "origin": {"type": "str", "required": True}, "soa": { "type": "dict", "required": True, "options": spec_options_of_type(SOA), }, + "hosts": {"type": "dict", "default": {}}, } for name, ty in record_types.items(): @@ -209,7 +280,10 @@ def main() -> int: "options": spec_options_of_type(ty), } - module = AnsibleModule(argument_spec=module_args) + module = AnsibleModule( + argument_spec=module_args, + add_file_common_args=True, + ) origin = dns.name.from_text(module.params["origin"]) path = module.params["path"] @@ -218,16 +292,18 @@ def main() -> int: try: current = dns.zone.from_file(path, origin=origin) - except: + except Exception: current = None - records = [make_record(module.params["soa"], SOA)] - - records.extend( + records = itertools.chain( + make_records(module.params["soa"], SOA), + make_hosts_records(module.params["hosts"]), itertools.chain.from_iterable( - (make_record(args, ty) for args in module.params[name]) + itertools.chain.from_iterable( + make_records(args, ty) for args in module.params[name] + ) for name, ty in record_types.items() - ) + ), ) for record in records: @@ -236,9 +312,13 @@ def main() -> int: dataset = node.get_rdataset(rdata.rdclass, rdata.rdtype, create=True) dataset.add(rdata) + file_args = module.load_file_common_arguments(module.params) + changed = current is None or not zones_eq(zone, current) if changed: - zone.to_file(path, relativize=False) + zone.to_file(module.params["path"], relativize=False) + + changed = module.set_fs_attributes_if_different(file_args, changed) module.exit_json(changed=changed) @@ -246,4 +326,4 @@ def main() -> int: if __name__ == "__main__": - exit(main()) + sys.exit(main()) -- 2.45.2 From 11939a6032dea52fac4bd825202bf1c43207facb Mon Sep 17 00:00:00 2001 From: Jeltz Date: Wed, 17 Aug 2022 18:59:40 +0200 Subject: [PATCH 03/44] Add library path in ansible.cfg --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index 6476e6f..a43566c 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -3,6 +3,7 @@ ask_vault_pass = True roles_path = ./roles retry_files_enabled = False inventory = ./hosts +library = ./library ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S nocows = 1 forks = 15 -- 2.45.2 From 961a2f110511518c1e0ec2f96f2c78b9a6df430d Mon Sep 17 00:00:00 2001 From: Jeltz Date: Wed, 17 Aug 2022 19:00:07 +0200 Subject: [PATCH 04/44] Add knotd role --- roles/knotd/defaults/main.yml | 23 ++++++ roles/knotd/handlers/main.yml | 11 +++ roles/knotd/tasks/main.yml | 60 ++++++++++++++ roles/knotd/templates/knot.conf.j2 | 127 +++++++++++++++++++++++++++++ 4 files changed, 221 insertions(+) create mode 100644 roles/knotd/defaults/main.yml create mode 100644 roles/knotd/handlers/main.yml create mode 100644 roles/knotd/tasks/main.yml create mode 100644 roles/knotd/templates/knot.conf.j2 diff --git a/roles/knotd/defaults/main.yml b/roles/knotd/defaults/main.yml new file mode 100644 index 0000000..37a901d --- /dev/null +++ b/roles/knotd/defaults/main.yml @@ -0,0 +1,23 @@ +--- +knotd__run_dir: /run/knot +knotd__user: knot +knotd__group: knot +knotd__listen: [] +knotd__port: 53 +knotd__database_dir: /var/lib/knot +knotd__keys: [] +knotd__remotes: [] +knotd__submissions: [] +knotd__policies: [] +knotd__reproducible_signing: true +knotd__nsec3: true +knotd__cds_cdnskey_publish: rollover +knotd__acl: [] +knotd__acl_update_owner: name +knotd__acl_update_owner_match: equal +knotd__zones_dir: "{{ knotd__database_dir }}/zones" +knotd__semantic_checks: true +knotd__serial_policy: increment +knotd__zones: [] +knotd__dnssec_validation: true +... diff --git a/roles/knotd/handlers/main.yml b/roles/knotd/handlers/main.yml new file mode 100644 index 0000000..ebad18e --- /dev/null +++ b/roles/knotd/handlers/main.yml @@ -0,0 +1,11 @@ +--- +- name: Restart knotd + systemd: + name: knot.service + state: restarted + +- name: Reload knotd + systemd: + name: knot.service + state: reloaded +... diff --git a/roles/knotd/tasks/main.yml b/roles/knotd/tasks/main.yml new file mode 100644 index 0000000..ce3da05 --- /dev/null +++ b/roles/knotd/tasks/main.yml @@ -0,0 +1,60 @@ +--- +- name: Install knotd and dnspython + apt: + name: + - knot + - python3-dnspython + +- name: Install config files + template: + src: knot.conf.j2 + dest: /etc/knot/knot.conf + owner: root + group: knot + mode: u=rw,g=r,o= + notify: + - Restart knotd + +- name: Create zones directory + file: + path: "{{ knotd__zones_dir }}" + state: directory + owner: root + group: "{{ knotd__group }}" + mode: u=rwx,g=rx,o= + +- name: Create zone files + dns_zone: + path: "{{ knotd__zones_dir }}/{{ item.key }}.zone" + owner: root + group: "{{ knotd__group }}" + mode: u=rw,g=r,o= + origin: "{{ item.key }}" + soa: "{{ item.value.soa }}" + hosts: "{{ item.value.hosts | default(omit) }}" + ns: "{{ item.value.ns | default(omit) }}" + mx: "{{ item.value.mx | default(omit) }}" + cname: "{{ item.value.cname | default(omit) }}" + txt: "{{ item.value.txt | default(omit) }}" + a: "{{ item.value.a | default(omit) }}" + aaaa: "{{ item.value.aaaa | default(omit) }}" + when: "item.value.master is not defined + and (item.value.enabled | default(true))" + loop: "{{ knotd__zones | dict2items }}" + notify: + - Reload knotd + +- name: Remove disabled zone files + file: + path: "{{ knotd__zones_dir }}/{{ item.key }}.zone" + state: absent + when: "item.value.master is not defined + and not (item.value.enabled | default(true))" + loop: "{{ knotd__zones | dict2items }}" + +- name: Enable and start knotd + systemd: + name: knot.service + enabled: true + state: started +... diff --git a/roles/knotd/templates/knot.conf.j2 b/roles/knotd/templates/knot.conf.j2 new file mode 100644 index 0000000..732b6c8 --- /dev/null +++ b/roles/knotd/templates/knot.conf.j2 @@ -0,0 +1,127 @@ +server: + rundir: "{{ knotd__run_dir }}" + user: {{ knotd__user }}:{{ knotd__group }} +{% for listen in knotd__listen %} + listen: {{ listen.address }}@{{ listen.port | default(knotd__port) }} +{% endfor %} + +log: + - target: syslog + any: info + +database: + storage: "{{ knotd__database_dir }}" + +{% if knotd__keys %} +key: +{% for id, key in knotd__keys.items() %} + - id: {{ id }} + algorithm: {{ key.algorithm }} + secret: {{ key.secret }} +{% endfor %} +{% endif %} + +{% if knotd__remotes %} +remote: +{% for id, remote in knotd__remotes.items() %} + - id: {{ id }} + address: {{ remote.address }} +{% if "key" in remote %} + key: {{ remote.key }} +{% endif %} +{% endfor %} +{% endif %} + +{% if knotd__submissions %} +submission: +{% for id, submission in knotd__submissions.items() %} + - id: {{ id }} + parent: {{ submission.parent }} +{% endfor %} +{% endif %} + +{% if knotd__policies %} +policy: +{% for id, policy in knotd__policies.items() %} + - id: {{ id }} + algorithm: {{ policy.algorithm }} +{% if policy.algorithm.startswith("ECDSA") %} + reproducible-signing: {{ policy.reproducible_signing + | default(knotd__reproducible_signing) + | ternary("on", "off") }} +{% endif %} + ksk-lifetime: {{ policy.ksk_lifetime }} + zsk-lifetime: {{ policy.zsk_lifetime }} + nsec3: {{ policy.nsec3 + | default(knotd__nsec3) + | ternary("on", "off") }} +{% if "ds_push" in policy %} + ds-push: {{ policy.ds_push }} +{% endif %} + cds-cdnskey-publish: {{ policy.cds_cdnskey_publish + | default(knotd__cds_cdnskey_publish) }} +{% if "ksk_submission" in policy %} + ksk-submission: {{ policy.ksk_submission }} +{% endif %} +{% endfor %} +{% endif %} + +{% if knotd__acl %} +acl: +{% for id, acl in knotd__acl.items() %} + - id: {{ id }} +{% if "addresses" in acl %} + address: [ {{ acl.addresses | join(", ") }} ] +{% endif %} + action: {{ acl.action }} +{% if acl.action == "update" %} + update-type: [ {{ acl.update_types | join(", ") }} ] + update-owner: {{ acl.update_owner + | default(knotd__acl_update_owner) }} + update-owner-match: {{ acl.update_owner_match + | default(knotd__acl_update_owner_match) }} + update-owner-name: [ {{ acl.update_owner_name | join(", ") }} ] +{% endif %} +{% if "key" in acl %} + key: {{ acl.key }} +{% endif %} +{% endfor %} +{% endif %} + +template: + - id: default + storage: "{{ knotd__zones_dir }}" + file: "%s.zone" + semantic-checks: {{ knotd__semantic_checks + | ternary("on", "off") }} + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: changes + journal-content: all + serial-policy: {{ knotd__serial_policy }} + +{% if knotd__zones %} +zone: +{% for domain, zone in knotd__zones.items() %} +{% if zone.enabled | default(true) %} + - domain: {{ domain }} +{% if "notify" in zone %} + notify: [ {{ zone.notify | join(", ") }} ] +{% endif %} +{% if "acl" in zone %} + acl: [ {{ zone.acl | join(", ") }} ] +{% endif %} +{% if "master" in zone %} + master: {{ zone.master }} +{% endif %} +{% if "dnssec_policy" in zone %} + dnssec-policy: {{ zone.dnssec_policy }} + dnssec-signing: on +{% else %} + dnssec-validation: {{ zone.dnssec_validation + | default(knotd__dnssec_validation) + | ternary("on", "off") }} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} -- 2.45.2 From 43693c2fc8324c6086653e4b1ad32e70fd787d7d Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 01:33:52 +0200 Subject: [PATCH 05/44] dns_zone: bug: replace generator with set --- library/dns_zone.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index 825a0d7..899c654 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -238,7 +238,7 @@ def make_records(args, ty): if value is not None } - multi_keys = (k for k, v in types.items() if is_multi_records(v)) + multi_keys = {k for k, v in types.items() if is_multi_records(v)} for single_args in product_dict(clean_args, multi_keys): yield ty(**single_args) -- 2.45.2 From f321b12d2f5a93466f0a33cf40c5b38fca0e8305 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 01:35:12 +0200 Subject: [PATCH 06/44] knotd: add queryacl support --- roles/knotd/defaults/main.yml | 1 + roles/knotd/templates/knot.conf.j2 | 31 +++++++++++++++++++++--------- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/roles/knotd/defaults/main.yml b/roles/knotd/defaults/main.yml index 37a901d..a0d36a7 100644 --- a/roles/knotd/defaults/main.yml +++ b/roles/knotd/defaults/main.yml @@ -15,6 +15,7 @@ knotd__cds_cdnskey_publish: rollover knotd__acl: [] knotd__acl_update_owner: name knotd__acl_update_owner_match: equal +knotd__queryacl: [] knotd__zones_dir: "{{ knotd__database_dir }}/zones" knotd__semantic_checks: true knotd__serial_policy: increment diff --git a/roles/knotd/templates/knot.conf.j2 b/roles/knotd/templates/knot.conf.j2 index 732b6c8..0a4cebe 100644 --- a/roles/knotd/templates/knot.conf.j2 +++ b/roles/knotd/templates/knot.conf.j2 @@ -1,3 +1,5 @@ +{{ ansible_managed | comment }} + server: rundir: "{{ knotd__run_dir }}" user: {{ knotd__user }}:{{ knotd__group }} @@ -26,7 +28,7 @@ remote: {% for id, remote in knotd__remotes.items() %} - id: {{ id }} address: {{ remote.address }} -{% if "key" in remote %} +{% if remote.key is defined %} key: {{ remote.key }} {% endif %} {% endfor %} @@ -55,12 +57,12 @@ policy: nsec3: {{ policy.nsec3 | default(knotd__nsec3) | ternary("on", "off") }} -{% if "ds_push" in policy %} +{% if policy.ds_push is defined %} ds-push: {{ policy.ds_push }} {% endif %} cds-cdnskey-publish: {{ policy.cds_cdnskey_publish | default(knotd__cds_cdnskey_publish) }} -{% if "ksk_submission" in policy %} +{% if policy.ksk_submission is defined %} ksk-submission: {{ policy.ksk_submission }} {% endif %} {% endfor %} @@ -70,7 +72,7 @@ policy: acl: {% for id, acl in knotd__acl.items() %} - id: {{ id }} -{% if "addresses" in acl %} +{% if acl.addresses is defined %} address: [ {{ acl.addresses | join(", ") }} ] {% endif %} action: {{ acl.action }} @@ -82,12 +84,20 @@ acl: | default(knotd__acl_update_owner_match) }} update-owner-name: [ {{ acl.update_owner_name | join(", ") }} ] {% endif %} -{% if "key" in acl %} +{% if acl.key is defined %} key: {{ acl.key }} {% endif %} {% endfor %} {% endif %} +{% if knotd__queryacl.items() %} +mod-queryacl: +{% for id, acl in knotd__queryacl.items() %} + - id: {{ id }} + address: [ {{ acl.addresses | join(", ") }} ] +{% endfor %} +{% endif %} + template: - id: default storage: "{{ knotd__zones_dir }}" @@ -105,16 +115,19 @@ zone: {% for domain, zone in knotd__zones.items() %} {% if zone.enabled | default(true) %} - domain: {{ domain }} -{% if "notify" in zone %} +{% if zone.notify is defined %} notify: [ {{ zone.notify | join(", ") }} ] {% endif %} -{% if "acl" in zone %} +{% if zone.acl is defined %} acl: [ {{ zone.acl | join(", ") }} ] {% endif %} -{% if "master" in zone %} +{% if zone.queryacl is defined %} + module: mod-queryacl/{{ zone.queryacl }} +{% endif %} +{% if zone.master is defined %} master: {{ zone.master }} {% endif %} -{% if "dnssec_policy" in zone %} +{% if zone.dnssec_policy is defined %} dnssec-policy: {{ zone.dnssec_policy }} dnssec-signing: on {% else %} -- 2.45.2 From 2744b3b512f547e5107a13d41e7e150435a71c5c Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 03:47:23 +0200 Subject: [PATCH 07/44] dns_zone: make rname relative to zone origin --- library/dns_zone.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index 899c654..2aaa26a 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -32,7 +32,9 @@ class RName(dns.name.Name): raise ValueError( "Invalid e-mail address format: {}".format(address) ) - super().__init__((local,) + dns.name.from_text(domain).labels) + super().__init__( + (local,) + dns.name.from_text(domain, origin=dns.name.empty).labels + ) class MultiRecords: -- 2.45.2 From 642b3eb80188ff82185f02860b1a6ff88aab639b Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 03:47:59 +0200 Subject: [PATCH 08/44] knotd: use human times for SOA fields --- roles/knotd/defaults/main.yml | 4 ++++ roles/knotd/tasks/main.yml | 12 +++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/roles/knotd/defaults/main.yml b/roles/knotd/defaults/main.yml index a0d36a7..302cd0b 100644 --- a/roles/knotd/defaults/main.yml +++ b/roles/knotd/defaults/main.yml @@ -20,5 +20,9 @@ knotd__zones_dir: "{{ knotd__database_dir }}/zones" knotd__semantic_checks: true knotd__serial_policy: increment knotd__zones: [] +knotd__soa_refresh: 1d +knotd__soa_retry: 2h +knotd__soa_expire: 1000h +knotd__soa_ttl: 48h knotd__dnssec_validation: true ... diff --git a/roles/knotd/tasks/main.yml b/roles/knotd/tasks/main.yml index ce3da05..4e1948c 100644 --- a/roles/knotd/tasks/main.yml +++ b/roles/knotd/tasks/main.yml @@ -30,7 +30,17 @@ group: "{{ knotd__group }}" mode: u=rw,g=r,o= origin: "{{ item.key }}" - soa: "{{ item.value.soa }}" + soa: + mname: "{{ item.value.soa.mname }}" + rname: "{{ item.value.soa.rname }}" + refresh: "{{ item.value.soa.refresh | default(knotd__soa_refresh) + | community.general.to_seconds | int }}" + retry: "{{ item.value.soa.retry | default(knotd__soa_retry) + | community.general.to_seconds | int }}" + expire: "{{ item.value.soa.expire | default(knotd__soa_expire) + | community.general.to_seconds | int }}" + ttl: "{{ item.value.soa.ttl | default(knotd__soa_ttl) + | community.general.to_seconds | int }}" hosts: "{{ item.value.hosts | default(omit) }}" ns: "{{ item.value.ns | default(omit) }}" mx: "{{ item.value.mx | default(omit) }}" -- 2.45.2 From 86277d05c223ade88eda88791d69c6ef35192c97 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 03:59:43 +0200 Subject: [PATCH 09/44] knotd: add knotd__soa_rname variable --- roles/knotd/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/knotd/tasks/main.yml b/roles/knotd/tasks/main.yml index 4e1948c..9e2ffec 100644 --- a/roles/knotd/tasks/main.yml +++ b/roles/knotd/tasks/main.yml @@ -32,7 +32,8 @@ origin: "{{ item.key }}" soa: mname: "{{ item.value.soa.mname }}" - rname: "{{ item.value.soa.rname }}" + rname: "{{ item.value.soa.rname | default(knotd__soa_rname + | default(omit)) }}" refresh: "{{ item.value.soa.refresh | default(knotd__soa_refresh) | community.general.to_seconds | int }}" retry: "{{ item.value.soa.retry | default(knotd__soa_retry) -- 2.45.2 From b9dd74af402162b2091b510353af3f8aa5031804 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 16:32:56 +0200 Subject: [PATCH 10/44] dns_zone + knot: rename some fields + add record types --- library/dns_zone.py | 63 ++++++++++++++++++++++++++++++----- roles/knotd/defaults/main.yml | 2 +- roles/knotd/tasks/main.yml | 7 ++-- 3 files changed, 61 insertions(+), 11 deletions(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index 2aaa26a..58878e0 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -13,10 +13,13 @@ import dns.rdatatype import dns.rdtypes.ANY.CNAME import dns.rdtypes.ANY.MX import dns.rdtypes.ANY.NS +import dns.rdtypes.ANY.PTR import dns.rdtypes.ANY.SOA +import dns.rdtypes.ANY.SPF import dns.rdtypes.ANY.TXT import dns.rdtypes.IN.A import dns.rdtypes.IN.AAAA +import dns.rdtypes.IN.SRV import dns.serial import dns.zone from ansible.module_utils.basic import AnsibleModule @@ -67,14 +70,25 @@ class AAAA: ) +@dataclasses.dataclass +class PTR: + target: dns.name.Name + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.ANY.PTR.PTR( + dns.rdataclass.IN.IN, dns.rdatatype.PTR, self.target + ) + + @dataclasses.dataclass class CNAME: - address: dns.name.Name + target: dns.name.Name name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.ANY.CNAME.CNAME( - dns.rdataclass.IN.IN, dns.rdatatype.CNAME, self.address + dns.rdataclass.IN.IN, dns.rdatatype.CNAME, self.target ) @@ -82,25 +96,36 @@ class CNAME: class MX: exchange: Annotated[dns.name.Name, MultiRecords] name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty - priority: int = 10 + preference: int = 10 def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.ANY.MX.MX( dns.rdataclass.IN.IN, dns.rdatatype.MX, - self.priority, + self.preference, self.exchange, ) @dataclasses.dataclass class NS: - address: Annotated[dns.name.Name, MultiRecords] + target: Annotated[dns.name.Name, MultiRecords] name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty def rdata(self) -> dns.rdata.Rdata: return dns.rdtypes.ANY.NS.NS( - dns.rdataclass.IN.IN, dns.rdatatype.NS, self.address + dns.rdataclass.IN.IN, dns.rdatatype.NS, self.target + ) + + +@dataclasses.dataclass +class SPF: + data: str + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.ANY.SPF.SPF( + dns.rdataclass.IN.IN, dns.rdatatype.SPF, self.data ) @@ -115,6 +140,25 @@ class TXT: ) +@dataclasses.dataclass +class SRV: + target: Annotated[dns.name.Name, MultiRecords] + weight: int + port: int + priority: int = 10 + name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty + + def rdata(self) -> dns.rdata.Rdata: + return dns.rdtypes.IN.SRV.SRV( + dns.rdataclass.IN.IN, + dns.rdatatype.SRV, + self.priority, + self.weight, + self.port, + self.target, + ) + + @dataclasses.dataclass class SOA: mname: dns.name.Name @@ -122,7 +166,7 @@ class SOA: refresh: int retry: int expire: int - ttl: int + minimum: int serial: int = 1 name: Annotated[dns.name.Name, MultiRecords] = dns.name.empty @@ -136,7 +180,7 @@ class SOA: self.refresh, self.retry, self.expire, - self.ttl, + self.minimum, ) @@ -259,6 +303,9 @@ def main() -> int: "txt": TXT, "a": A, "aaaa": AAAA, + "srv": SRV, + "spf": SPF, + "ptr": PTR, "cname": CNAME, "mx": MX, } diff --git a/roles/knotd/defaults/main.yml b/roles/knotd/defaults/main.yml index 302cd0b..00b1a86 100644 --- a/roles/knotd/defaults/main.yml +++ b/roles/knotd/defaults/main.yml @@ -23,6 +23,6 @@ knotd__zones: [] knotd__soa_refresh: 1d knotd__soa_retry: 2h knotd__soa_expire: 1000h -knotd__soa_ttl: 48h +knotd__soa_minimum: 48h knotd__dnssec_validation: true ... diff --git a/roles/knotd/tasks/main.yml b/roles/knotd/tasks/main.yml index 9e2ffec..3dc6140 100644 --- a/roles/knotd/tasks/main.yml +++ b/roles/knotd/tasks/main.yml @@ -40,14 +40,17 @@ | community.general.to_seconds | int }}" expire: "{{ item.value.soa.expire | default(knotd__soa_expire) | community.general.to_seconds | int }}" - ttl: "{{ item.value.soa.ttl | default(knotd__soa_ttl) - | community.general.to_seconds | int }}" + minimum: "{{ item.value.soa.minimum | default(knotd__soa_minimum) + | community.general.to_seconds | int }}" hosts: "{{ item.value.hosts | default(omit) }}" ns: "{{ item.value.ns | default(omit) }}" mx: "{{ item.value.mx | default(omit) }}" cname: "{{ item.value.cname | default(omit) }}" txt: "{{ item.value.txt | default(omit) }}" a: "{{ item.value.a | default(omit) }}" + spf: "{{ item.value.spf | default(omit) }}" + srv: "{{ item.value.srv | default(omit) }}" + ptr: "{{ item.value.ptr | default(omit) }}" aaaa: "{{ item.value.aaaa | default(omit) }}" when: "item.value.master is not defined and (item.value.enabled | default(true))" -- 2.45.2 From 9f8dcecf63591c6a8a9c471746e06689c39ac221 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 16:35:16 +0200 Subject: [PATCH 11/44] dns_zone: ensure zone files are sorted --- library/dns_zone.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index 58878e0..9b489a3 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -293,7 +293,9 @@ def make_records(args, ty): def zones_eq(lhs: dns.zone.Zone, rhs: dns.zone.Zone) -> bool: """Returns a `bool` indicating whether two `dns.zone.Zone`s are equal w.r.t. their text representation.""" - return lhs.to_text(relativize=False) == rhs.to_text(relativize=False) + return lhs.to_text(relativize=False, sorted=True) == rhs.to_text( + relativize=False, sorted=True + ) def main() -> int: @@ -365,7 +367,7 @@ def main() -> int: changed = current is None or not zones_eq(zone, current) if changed: - zone.to_file(module.params["path"], relativize=False) + zone.to_file(module.params["path"], relativize=True, sorted=True) changed = module.set_fs_attributes_if_different(file_args, changed) -- 2.45.2 From b1f26f2cd776b418299b8f645e43f6a06bfc23a5 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 19:50:35 +0200 Subject: [PATCH 12/44] knotd: fix knotd__queryacl type --- roles/knotd/defaults/main.yml | 4 ++-- roles/knotd/templates/knot.conf.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/knotd/defaults/main.yml b/roles/knotd/defaults/main.yml index 00b1a86..3690280 100644 --- a/roles/knotd/defaults/main.yml +++ b/roles/knotd/defaults/main.yml @@ -15,7 +15,7 @@ knotd__cds_cdnskey_publish: rollover knotd__acl: [] knotd__acl_update_owner: name knotd__acl_update_owner_match: equal -knotd__queryacl: [] +knotd__queryacl: {} knotd__zones_dir: "{{ knotd__database_dir }}/zones" knotd__semantic_checks: true knotd__serial_policy: increment @@ -23,6 +23,6 @@ knotd__zones: [] knotd__soa_refresh: 1d knotd__soa_retry: 2h knotd__soa_expire: 1000h -knotd__soa_minimum: 48h +knotd__soa_minimum: 1d knotd__dnssec_validation: true ... diff --git a/roles/knotd/templates/knot.conf.j2 b/roles/knotd/templates/knot.conf.j2 index 0a4cebe..ded966b 100644 --- a/roles/knotd/templates/knot.conf.j2 +++ b/roles/knotd/templates/knot.conf.j2 @@ -90,7 +90,7 @@ acl: {% endfor %} {% endif %} -{% if knotd__queryacl.items() %} +{% if knotd__queryacl %} mod-queryacl: {% for id, acl in knotd__queryacl.items() %} - id: {{ id }} -- 2.45.2 From e36e31d18b54e00c66824aea87dd4c948f825f4f Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 21:23:48 +0200 Subject: [PATCH 13/44] remove playbooks/knot.yml --- playbooks/knot.yml | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100755 playbooks/knot.yml diff --git a/playbooks/knot.yml b/playbooks/knot.yml deleted file mode 100755 index 43b59c3..0000000 --- a/playbooks/knot.yml +++ /dev/null @@ -1,17 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: all - roles: [] - -# WIP: Deploy authoritative DNS servers -# - hosts: authoritative_dns -# vars: -# service_repo: https://gitlab.crans.org/nounous/re2o-dns.git -# service_name: dns -# service_version: crans -# service_config: -# hostname: re2o-server.adm.auro.re -# username: service-user -# password: "{{ vault_serviceuser_passwd }}" -# roles: -# - re2o_service -- 2.45.2 From 4a29c317a5d02491e49f89c99fb30fc3dacfa77a Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 18 Aug 2022 21:24:12 +0200 Subject: [PATCH 14/44] knotd: hide version in chaos txt --- roles/knotd/templates/knot.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/knotd/templates/knot.conf.j2 b/roles/knotd/templates/knot.conf.j2 index ded966b..5ce8bdc 100644 --- a/roles/knotd/templates/knot.conf.j2 +++ b/roles/knotd/templates/knot.conf.j2 @@ -6,6 +6,8 @@ server: {% for listen in knotd__listen %} listen: {{ listen.address }}@{{ listen.port | default(knotd__port) }} {% endfor %} + version: "" + identity: "" log: - target: syslog -- 2.45.2 From 126d0f49dfd2362fa28b4c423e6e1857e2885e5b Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 04:44:04 +0200 Subject: [PATCH 15/44] dns_zone + knotd: add 'reverse_hosts' option --- library/dns_zone.py | 14 +++++++++++++- roles/knotd/tasks/main.yml | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index 9b489a3..f61af00 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -20,9 +20,11 @@ import dns.rdtypes.ANY.TXT import dns.rdtypes.IN.A import dns.rdtypes.IN.AAAA import dns.rdtypes.IN.SRV +import dns.reversename import dns.serial import dns.zone from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.common.validation import check_type_list class RName(dns.name.Name): @@ -250,12 +252,20 @@ def product_dict(dct, keys=None): def make_hosts_records(hosts): for host, addrs in hosts.items(): - for addr in addrs: + for addr in check_type_list(addrs): name = dns.name.from_text(host, origin=dns.name.empty) decoded = ipaddress.ip_address(addr) yield AAAA(addr, name) if decoded.version == 6 else A(addr, name) +def make_reverse_hosts_records(hosts): + for host, addrs in hosts.items(): + for addr in check_type_list(addrs): + name = dns.name.from_text(host) + reverse = dns.reversename.from_address(addr) + yield PTR(name, reverse) + + def make_records(args, ty): # TODO: Ça n'est pas du tout élégant, mais : # 1. je n'ai pas réussi à spécifier dans `argument_spec` un type tiers @@ -321,6 +331,7 @@ def main() -> int: "options": spec_options_of_type(SOA), }, "hosts": {"type": "dict", "default": {}}, + "reverse_hosts": {"type": "dict", "default": {}}, } for name, ty in record_types.items(): @@ -348,6 +359,7 @@ def main() -> int: records = itertools.chain( make_records(module.params["soa"], SOA), + make_reverse_hosts_records(module.params["reverse_hosts"]), make_hosts_records(module.params["hosts"]), itertools.chain.from_iterable( itertools.chain.from_iterable( diff --git a/roles/knotd/tasks/main.yml b/roles/knotd/tasks/main.yml index 3dc6140..5fee857 100644 --- a/roles/knotd/tasks/main.yml +++ b/roles/knotd/tasks/main.yml @@ -43,6 +43,7 @@ minimum: "{{ item.value.soa.minimum | default(knotd__soa_minimum) | community.general.to_seconds | int }}" hosts: "{{ item.value.hosts | default(omit) }}" + reverse_hosts: "{{ item.value.reverse_hosts | default(omit) }}" ns: "{{ item.value.ns | default(omit) }}" mx: "{{ item.value.mx | default(omit) }}" cname: "{{ item.value.cname | default(omit) }}" -- 2.45.2 From c775a48ca855fc5972d609e40275317854149683 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 04:57:27 +0200 Subject: [PATCH 16/44] net_utils: add miscellaneous Jinja2 filters --- filter_plugins/net_utils.py | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 filter_plugins/net_utils.py diff --git a/filter_plugins/net_utils.py b/filter_plugins/net_utils.py new file mode 100644 index 0000000..2fd4560 --- /dev/null +++ b/filter_plugins/net_utils.py @@ -0,0 +1,28 @@ +import ipaddress + +import dns.name + + +class FilterModule: + def filters(self): + return { + "add_origin": add_origin, + "add_origin_keys": add_origin_keys, + "ip_filter": ip_filter, + } + + +def ip_filter(addresses, networks): + if isinstance(addresses, dict): + return {k: ip_filter(v, networks) for k, v in addresses.items()} + ip_networks = [ipaddress.ip_network(n) for n in networks] + ip_addresses = [ipaddress.ip_address(a) for a in addresses] + return [str(a) for a in ip_addresses if any(a in n for n in ip_networks)] + + +def add_origin(name, origin="."): + return dns.name.from_text(name, dns.name.from_text(origin)).to_text() + + +def add_origin_keys(dct, origin="."): + return {add_origin(k, origin): v for k, v in dct.items()} -- 2.45.2 From bb2590358d6510e00e9a0291a796727524371569 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 04:58:14 +0200 Subject: [PATCH 17/44] vault: add TSIG keys --- group_vars/all/vault.yml | 501 ++++++++++++++++++++------------------- 1 file changed, 256 insertions(+), 245 deletions(-) diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml index a70c389..5b9af2d 100644 --- a/group_vars/all/vault.yml +++ b/group_vars/all/vault.yml @@ -1,246 +1,257 @@ $ANSIBLE_VAULT;1.1;AES256 -64313161633263303464663933363265373935633862653634643862343232643432343966376438 -6134633764383937373966346538306530316539303966320a363035303038616435383366656532 -39346463396563626166333362306464343836386365303836356461323663633831636562393039 -3832636432626238350a666566323435623834396166656233306639333830343130326265616234 -61666365663963643437386530363261306438376665386463376366363662656161316263303831 -61393136363934316462616131326463333736656136643038623061313363386538393833663637 -36373565333566306632313865646538633532393731313430633462666334323762653337383338 -63313433333835653366363061343839326131666139346563306366656365316663333438363837 -33323165353936343165646464306434303161313139653561346461653537616164623434376534 -33666662343734633766356230383761353239333632613031396365346536373432363433633564 -61633762393033343336373864653438336436613630366539333731383336346665313732396265 -32356138666135383562656366353131366436363464643630656130303437623131333239386363 -66373866393064306565306565386230373638633733326661333065633136633130323963323765 -30353262323835313365383562326363343965636634376133613331363133313030346561653931 -39363636636235646131353034663861336362383263613165323230366439383561653165363764 -65366130623362623539393461363832353435616266393036386439303834316635366438393936 -33383933366262636232383066663130383965306137356363363539633661373664613738336539 -31363131616135623039346465623530376533386263343836376662316562386530336266303062 -64386531303938623939653635313163633261336339366139666135323130653862346132646636 -30363065303235346331333434653331646333616337623562643564366435613938643235333664 -30626164373030303237656366623631396138333265383566333664663061613536666363623630 -61623362383439636239336234333161366635306432363230366630383836326330343932303863 -39393232373831363863333332636362396639663831656266336430313837666463336439353332 -63303036633433323439613535326663633332346565646338353761363733643766363132666365 -34303865656262303563323665363730663062626537363461646363636461633762663237366366 -64393133656464643065633634313261336662646435313735306266316132636530393631353830 -61303939373363323131316463333136326365333430626266376636356130396239323464353937 -64616232373532396334343433636332353530386662633164353235626361623164313039336666 -31636434666437393839393133633961373139313663616366373239386163623064373836376164 -62316638366366376134386231306435616138656461373633393339653532363434393834393430 -37363335623934306661333135343266663464623438353665613330356236323036363139643064 -62383934363465316338393065383935646134353230376131613935613431656333383565353134 -34643866353131653061623236306536363163373639396564336434653839346263303930633663 -39393935636235313431303032336361313730373238333732626465346662363038636361383631 -65393433346363366337383233646166306339653533646632623262376630383265393438326135 -31643039333835666338383762336163336337343532393063323165636531353361613731363065 -65303637396332613432663636326334646635346237396461636366356133303333306239393739 -34353966653662346230383865643231313239626533643761366162613164333132373636623237 -32356335643766646266646266633366363165373861306433316561363166363865303133633939 -34633132343438363034323638376666313061383965323566646463653163313235373364386666 -62393865373137343237306637363536383939303833663532396333313931336162333837613935 -66383266343735396337663936333162323738383264376533316536376563396333343263643931 -65646535363337373865353265306434356432353066656665366638353331366334366339613538 -32373637633564613861626538373365336362313434633137613966353861393462623862663330 -64386431373066306334383863366133333564373163386433313231363366393830343230323734 -61633962356637326538336663386330653563353763663236623539363630626363323237333237 -30656139626561313064323330373032323031343137366638303966313832646365666238326337 -63306363613361653933306234386163383837666430616663383664386563323839326232383761 -35373539626438356539393266653864353066633365383437623437356464383335383039343137 -61373539343631373932373033656233323964353666626162386537616333366562346265656238 -35396130356166303564303036383664656435626534303064653363316464616335303965376330 -61646638383138323265313631613037396561626162306661653231646230343139656135333236 -63303838316266333665636335663361656262353066666430656162323236633564313337353665 -35363565303736633564356632346632343832363934343962313030646132663566346664313632 -38393061613163356265643434626166393366366634343032626637333332316361663639623534 -62323239373639393337373537646232663531653835356165313264663561623633633830373734 -31336234613633666538373961626430316530346462343061323661353564323938353338373961 -64616637303734303333626166306330613238646265636136653939363936356165356232396436 -65353731633836363433616534636330663565643561363233396538386430393964353433616437 -36343936313936303165396236393463646363383338366238363961666530623335653234656139 -65346337663437623134376137326166323933613861663032623965643538343638376234316232 -36333065323234663263343630353739313661373536316162366532336438373263303730626464 -38613136393166626663636631363064303736666235333036616435373063363762666565363136 -38333966303831313333613831313132633062616235353365313533386236613338373130303836 -61326262313833306437366364316433393931353265326131653563656131333436376338613266 -39326632613366666136643137303635336631353230396435313537656366326239626362313833 -62653039343261613265306362323234623264366664306561663839306631663465303962386462 -39353934643562383762623937643034383534393962333466613636346637323235346438666636 -31613838313535666166663063373333653439313035346266666463623666613837313933623837 -63343565663739393764353761316432626237346234663032316131306262356233333439323961 -38646664383030303832646563393836643135303731306435383338623633626638306165386637 -65393238653464623032336437643838333932366131656332333165376261383539386466343139 -65613733383837323832303738363664653138613830376333363038383839623463623631666237 -63363263396533353763373934373034643763376665316638353435663635346135333265363235 -62663432343935343964626432353563313036303761393039386231343530663737633466643035 -65343835353037643539316439666666633866356530363237373230373439373133313337653237 -66613631373637313534353862653437393234363365323032393035376438616264336661616262 -37336435326135373065353564383637626637343532396331623334643139386364316431376435 -36356566363033636539363430356565373039363863396565643730656531346364626334393436 -33343839303538383530363231366166623233333730323163323432373831313639626337346230 -30333930333064393337616564386163623436613933623466353933393733346339383534633239 -30633365313364666566643533326163336330323232353533316633313739343035383465376330 -65356139386463633565366132383832643032333234633964373437633836343435393631396166 -34633439643764623936366536353931646132373539326238303761383339643661616266646130 -30393166393465326365393130636136336433623262346435353936306133616135653734383635 -65393530633836613937346430366337626365363361663533313837363063396538663766646566 -63373639653732353135343562353266316164303863336365303635653464393232613939396131 -30636361343932663233663566656131363938656161623966316366656561343166336532613666 -65613534663762353662353262623634616264373964316336626166353330303539356130646166 -63643435353765633766626165643465386331333637366562393861613834323464363932306430 -32643836646266643031396262626136313363623663366430376432373036643835653863323631 -30613164326430633664306630333632363931656135643465363439376263386561383534633666 -64323763656466343064396639313264386239356664663461333166626332326536623132333434 -62303261643164643330333662623935383037353338306135613737306563326336336162633138 -33623066373265663362303133363032343933306336396466383034636131333837313333326531 -39336163313633623639303462313763656632633030336236643030343262653366633939643536 -31636535393864663363353930363761623264343630396336396431663330323436613462633136 -37336464353730643566393432343762333336653932333366636265343663323462626232623635 -34346136333630363539633666316561376266373032373961313437653564636537656630303261 -37313639333233333365383763333061373730623939303530303832646365323739356564626137 -35633366393636376463393961333830343232363266633931613332643134643234303733373466 -35323831623931633436626636346431303965663639666566623433383736633834626330303265 -37353337656233663938663839373931623137666662623266336537383631626631306235363064 -33313564316438633139336261623736336336326239376630316335313631376132646563333430 -33656432643130643832343065353834633366363339353964623762666564633835633636313731 -63353637636165663136623736343234393038313235333363643237643566623766393838386635 -33646233623032653233336266636335666233353032303837663162303939383262373761623261 -35366661363966346233633739663635353361303264356534366235616164316138623730623632 -62316362623736396264366632373661373835393434343364353431316362666235616635633566 -64353530633334393737346663653562346335323065356665643132353738363132623031353664 -66666639326238386634363664356664343161386435323736316636343536326435303066353035 -37363731613138393333636562386363333932386362303139643262386237353863363764643139 -64616561373239346464623165616332623434303433626638376232333733646136376431626438 -66613134343639656331626630303030366133356636663735353466353834613430356265386162 -66613332663232623438636661306332613162666561353537313336643134663664306630636639 -61613363353264373831393962333631383236666130646333336431303735333165656438363432 -38396530333631636135653534393531326434306362396237366430383166323832336434376364 -38393431646338316232373431613930326532646333386435303034356564336665346133393866 -61643533643361646265313334633463616437393437653935613261366635616430313064346532 -32363831613565313836376338646466323130373032613863323037323566643164653132633735 -65636562653535626461396666643330386333663137613333643165656336633038323036373162 -31376338613862333334643561313332326237646565633934323032626662633631633033623063 -63306664656437663732323339383735306132616531373865323835633264333639336163366466 -33373433653839393638323034623835643531393266306331313563613265616633353763653438 -65363532653163303861383531356639316331343531666666636336373634636134633331366364 -62366230366435323435613964636533353236373935626632623536396664313264653031623062 -33366166343630313839366262313234346262343336386538336335393835646138666330656361 -61313936323838653832633130346539636363613838343363663431623063333933383466353938 -65383361333561383631643938613862343236346233363466333237316339616362366565306639 -39356563656132303463346138356435303038303165363935343266396462326365363262393336 -37396235366639623761366239386165613065626431633733306234343866663266633631656237 -63643430383433393835663635356265636635363137613064353066313338346436356632346265 -38393730336465396263373137383238653337396364643061303234666266663064663265383434 -36636138643432373633313038393737663735363838396164366234643533633762383062353831 -66326231363337323666386263373438656630346336663239643030386434636264666634393631 -39313364333761343532346165396365306463393037643935666363323630326664616638313338 -39396336653738353333343835363861643166376565346463303135376439336134666235623230 -32363031303732666133386164313437366164326539373564623236356432303132633436323563 -36323634373538376133613736633133356638323861636434646465643432636366376138636232 -63633830613462613831313938326339343632393038376639623131366364623536353338363439 -32613331623863336165636364616634303264356630303665383638663737343836663831363263 -63366562393734323030306436346534626530656465396535323835316139633562363830373437 -63626530326530383538623165356532303862353763326432373966626436303465373431373762 -38613539623164353732623636376630643465343839666531306438326633343362306665366132 -39396537366266353864656232616334336130333337306463313932393832653661343036396261 -64613461633433356334623631643861303133383963336635623138326139613564343838366565 -36343130353462333162313736636139306233366466626231306561626335396262663531333839 -61336437343137356335633764373730306466326133356331333530353537616661373062656438 -35356235666464656466323937353837623535643937383866666133383633396563333338633034 -38366531613164363966323137646237393135383164643230663331306335636432656565633636 -34343031633632346533353666353034666266666561346464306665386634313263323333653330 -66323033393531343633356466613837346164393332613037636465343230623731616361336338 -61373332373636646435353734386366613334323161626437396232613534613330613532323534 -65653065386432313733663165616333663666363733623162306536303833663136353334656466 -64353931363838613761663561666639373865393438396565626661343934353662363834636535 -65363664393433313036383438643864663339626331343230343337316437336634636363303563 -35373539383535353235633730386232363539616632336566376264393832383637663330613133 -37643261363966633138373935333438393536373938383265373261363232343030373539366335 -61633162663137643061363366653135323639363838626266386262666133306461333432313738 -30313332626166303630363839396663396564633961383863326663356230343938643833303933 -34333032353935323565346633363537656639613663356130383264373739636231363364613066 -36653664346434393933383337313630623131396461343930383537633536643365306564396665 -31353861643335353538623838393335326364393738376239623431306231363739656438626265 -37666532336661306262303761616238666239623265663231386165353437366631376234343035 -33393037316563373534373765616238616639303031346430623561663430393536303163613338 -65353062336164626335376235656235343637366438353334356436653266333062663838316263 -32623732306462356162623437393035626433336631643833626463656634366332613936346465 -34653331363133373635633330363564333264623566613432383439396537343963653239336265 -33326132663434363065646265646130333935303662623037363938313464366564323734333437 -36336335303738643634653164306332636130316161393335656536386131396662616366383139 -36663863343736666665363337663537326330323437346565346465326231366563643136366365 -37636361343961326261336437616266373962643765346438333766306537303137353764396330 -39626635373631353635313935363834363730386132376363663462653330623130663266373432 -65343237326535613535386363396236336536366165306463643162346638623638373433646163 -62613935363636353639623839396231393838303135346536383037353636613563323234626131 -64373666303436393861373164376564646235366131343433623733663832653039393738343537 -65323534343464613230346532623966616462353532373064623566626563336464326336393364 -39626237646431313135323036303065343138616632343237396136366332636132303037376132 -33623031623635653162616265316366663262373666636638386130643336383130643232643662 -34326663343562613962343033396332303261636230353331313730336630633461333736626333 -66636430643330383032646634396133626339623036333963396662313234623466366634636334 -33373762386662613966353664346239666133656435353365653536356331613632666132376264 -62613433366633663065306166396166633836306139376533396165393966323465303638373563 -63326330323161303065643365343363313338326238363137663139613463613434643834613662 -64663365633965653363633165653038333335333232633434323037643936646561376431626230 -66356138373136366134373533386634373061666330663364376336383433306331386162393633 -33636330643531396464313736363061303466393861613730323563626363643731333633366532 -64646130636234653566346533323962353332653335336239353630633535623935396638663366 -37383661343636613261623833653032373764653164346634663431653664636233323734666166 -36373664306566663930353338366431623563396166356638626166333165623263636336613138 -34343936393964666564306637346561393538383137663162663630336462656663316338376236 -63633666333263663734353861633164653132663334306664643133663736663766626639393236 -32653430333163313363343731666135656662363838366132383732346130313130363365656263 -32643533393163376264653632663262353966306630333064313932616262323134326361633764 -63383837303936616434616630653833653833623263623532306363373836323431393335623530 -34316562343035326265333164643163356230643639373431326431303538346363376332373434 -31313666313663343363353130306561646136393732663164393232636330663635346434343134 -33663138663336636430373763396435323138373633666438623234363631336232366635366532 -62616239663934653462656163326134303261376635323864633435383666363065656665303538 -62626538343638366236646136363232373437336630383739656438636465326531646664366462 -36353663626634386538336239623734323234393463313034303837363164363263623065613061 -38333162646232366339333662313965663336613238386530393162346266636532353433656136 -66326436323836376432313238613165373565643233333435393361636637653361616435393438 -32383763393561343734643438346635613663393736613839623263663866336165343235663933 -66623137616561313462653631613830363666653635336534643935373739353138363934656134 -35663063396162623432373534333463376231666466393963336231653939326663396336383735 -34633763336163313432616163313638623963306666643432306661393632346339373963633265 -32303862643661376433356661383335313365306534663534396638313531373538326236636363 -37626138333437393363323261336663653163643565303063313231346131376261653763356631 -62306262336337366134626632333663363139393131306666303235303761623665356431646234 -33666461663035303066353137623762653565353533613435663839396238336337333463636465 -38353135356634626137376232613330393235383432356436393030313564306537616363383136 -66356463373138313661373565326565343066643133633630313031303132313031663739316631 -66666631386163313034306532393862393930653931363235396662366262636466363464396466 -61303962303066633764393831396632626233343633313061323838623134373036393164633139 -30303861636335636131376334376239636235653233323435623262366132663934613661333135 -61386136326435363337316363666330363431613135663661303438383664663930656564373730 -32373731393666333364633835646431646662313232383136616238303264383438663766356462 -32346664376430663934626661663039656461383738626265346162393861346163656161323333 -39323666643031376530303230626166613233383731363766373634623430633635303963313466 -34646331363539636133373134353535356265393265393635323532323134643034343663636362 -38633261613433393634396234396265623063346138363133646532366638306632396464646432 -61373961383438386535336131393633303430346162613738343839653038303035303033626535 -37343030623530333332306265373539633735616634663666356437303862636338363866613861 -38346130336338373865343866306665616530313938616366346131376262346135323537663137 -39383366313766666234323234363937623264353532323033363966313135653163343036666262 -34393832613034383239393930383063336131356364303231323966303633333331633666373764 -65383137333965663234663933303231356165376233326233303035316536666563656363343933 -36633039666432643135636331353932633164633964623661373739633665313433306561303637 -62373534346562363132643063643732343462653838393635343266626535353864656437313434 -34376538303965616539626534613431623834376337643936613137323031323139393762636463 -66346664666361623636666533663037613434353135393862376633636233656330366136646434 -30653735323961383130393763333630306131376430363436623238646632363462383739653636 -37346566663039383866323639633565366338353438386461616239313639343766333661346435 -33316538366463383733346663316564656566656165396465393461363061613239666165346661 -62346639623163363762366431313831663135643062336363323336303737393437653863303665 -36643466336566336236353166333063633830646461626262333937316162353365353130353535 -30383164363532363532306364393236303537383139643431393962333063633162313033613561 -32323434336364343061386666616639336566373461633462393130336461303531353436623065 -65663430623066336533373662306566396263376562343936666166626666323964373334613835 -64633535303365643564626562643562636363363834353865353765356665643965663861366436 -63333736613232353130616466316637613966646139323565356537666331666564623832333439 -36376131663431616430616265323039646432393166613631313762613264313765323231663961 -65616636306362386534626130636261636566626365643630616135323634343935653033653433 -3061 +62373961613635353532306262363831376166643431323062383634366138653036373730353036 +6664653637356662343538306261353838306637663765320a336436333964643464613339366238 +66323438363935303839633534373464333236663536396233316162363439393030303637306462 +3661346138396534340a626164643334376137633738343130653531393630663030663234626433 +62623063623538323262643863373062323537663164623535343262346235323865613361643034 +37373562343366323134303836633634613837356165323566343062373730336639386137306164 +64366661343562623734396363346339643438613865653730396635636264666164623533656534 +39313462363539313866633663333639343766313338376162363135396235356133373837623930 +64316661316339343439383365303664393631643164623161613262613839346634333434653264 +65656466383063386163353135663632303665323238626139363330383363306130623535303834 +31636265623366326438373163633566626438383633326430303862353838383636363866326131 +64656366646534333739326264663330323836353266393063356134373366366235613534353636 +30633364343738393230623338663532623531303564613766326436336562633338313337396664 +65376135633334346261313835646361303362616535346538623634383338626363646637376261 +66383336363065353932656231343231613963303934643637656637323135376238376235383838 +35386333363033306332373030353332303635633164363135633431343566373338623437626331 +61653435653135663331313536386166336137636336333861656131613863386162343639363935 +39643763653633363663626266663036313961663062626333633666356363363961643231663033 +32386438646365613438343130313465383266623830666631653061313238643466326337663434 +63313664346564333163346230663331613363646566386135363063643730626435366233313130 +37343965653835636333363365653831393531326565316532663962326165366437326464663964 +65383036383261643066333938343634396337313034333466643436386665353137656661323134 +66666362393334343038353762396537346164356635373766393038656563643132363461356336 +30323063663232353431623731313564646339376364623639303231633935353730353866616131 +63343732653366613832393031646339383235616464656435653035316163313266613361646666 +31633662336332653738353661616137333537633831346137663363336235626433363834316438 +62646266383362613335376335376136663536623638353863323539393339353736336533656435 +62343263343839633837313966316538643133363764353661616136356139313630626163663233 +64363939343238623261656430653933333432383066373136313232623933616238323161316336 +36666165616661383637323832383138353963333063613566613538623430633561653532333830 +34366231323131346533616164646438366266326266616264333862343435633031333135396365 +33333331323939646431373630373334613935616337316631613065363337336136636238323066 +35653162303130373733353763623638623638323638333362653130663237396564333366616163 +35396435303133613861316464393837623837353734633331366435383263643264343164333235 +32353530373835643436633038366261386465373364303538353933346562663566663233326637 +33663165333366346630373035396237366332616435323231336333613031656161303431326633 +37386466353836646536656364343532356633343835666466353861323637643233343063323135 +32626563383433336165373363383236633936333039343731633439353331666564383166323738 +39313635636666383432623335396663386131336134613530323938316332663032663966656361 +65616334646337313637346436336232613531626434383030326164393366343366616235383439 +62303333356633656366373766666430636435303438383863343330396130396139616234313638 +31336632663661353030303736646130326565303932346432643066316434616134376135636662 +61393661633261303539393139346266303731333637363838313964616439386637633234326533 +32323130346235306236346566306563333563653333326633363831646238353766666136346333 +37666539313265353961343762303762333463646136386331393938663463646530633932393136 +38386437646135613764313764316162346364353031313566323134336239633832303930313463 +33636164373236373138613462393937333338643230663133383132616463313731393963633262 +31303239393939383433343138393733356238386136626463336532613661623362356530323666 +39633336613532383661636334393362663833306562663664303734393466343536386661663838 +65343263643063646666616334643936396530633861373733376635303230646461396239613435 +39373131393234343761346231636363303663383835366562643664353734653530393066653230 +34656466656364303163653862616437623636626537376338376631356266666338366439656262 +33383633653965386333343933323639303265653862323936376635343037656537626165636663 +38383034383833393038363136373835636537626664353863326165643436323730623665313037 +64323634633435323434313639343538313537313030383338656635336137366133613931346133 +62356131396637323361336265373731376638636465306365366461353338663738326362616435 +61316166363536323761323631653835643132356634633738343834343839613732643263323866 +64393636353730323139383965373864376163363963323830353538613234663566633437363061 +66313765356635643136653866633432343130303661633362386665363761306165646333356330 +34393233626131646430663538663465643233356338383330316634333032353939653334653233 +37356461323261653762363730383339393130613064386366393562383739616536626366633865 +39316161643438343762306537353762333463353237303063613933343239323765386666646539 +33336165323539323261366134353466313737636338363861336664346331643464313965633530 +37393538636535303431303762336335666361663364363130376564633763373036663330383130 +31316564643336373061343033333131643362663736376436643965333066613431343936303964 +63343030653030373537396566323663383061396666313835333732646339306134613762393865 +30626431303638346137653539333236633136663137306233663236326465663662376537666435 +31333663663833373463343163323737366536366163613733396332626230646131333662663866 +61346266396563646261353561616433613161666161363161396533313038366438366565343733 +33646462636461313639666332666338613066383862353362613563636162313238363261663762 +66613930333837643537326237633462343666323563383935366333353533386161363734623132 +37633739396161353731353234326565376564646433316638633130303033303863623166653438 +34663461643539643639383763666339643164343233343361653630373736393437633762323761 +63633264373639613439633338316166333135633436373133626434623261313333613734376366 +30366634633664383633643234663539363166656333653139366466346433323337383036393330 +38306564303131313130353765313465626537323032623233326261326565626535666337383237 +63616566623139343664343663663031306133333830386561383936313135616461636563656130 +61333531313230623063326537323537303363353232343436356161336164326133643734663134 +32616266303536373331396537643938636237363439353234326439363039633366613136326632 +65346533636563393665613130636437356134666262343336646236326430366636353234636564 +66356636666339353466656664633731376537353863613565306130316561313865393962336232 +65326661366661313434666564366131656539363030323233376666616330653338616536393230 +36646161373030343964346430613266306665636336303536363966326361373335313130316332 +33646236393935336662353237323639323239353030623233373766363566323461626332396164 +65303035653630376332356333313765313833396338363233326333626130323866386366613533 +35303562366437333538393363643366326530313365623331306235383965393331333936323432 +34396261666363313637633364356666323639316532636331626132643333373838383465663561 +65363636613736663434626130313265646438326537363736336134346432366432656133623262 +33623661323064333439303463623138383962356165356461373235616164333130663336383635 +36363835643466306339336338323230313036616665363863376262626361323738643561353761 +38353939653130306161666436373132623238366632353332353136623038616462376361626235 +31356464303136373766323261336132323434396561363066313062333061633437623362633861 +61306330323633323930336237643738613330366265386366306664343066326530613061306432 +65626130336337643233666235613530373237383234633833363962636134366661623333636237 +32373664376438313065623234626637303630356233356439656434306661663138323966303539 +64363937643334303936353663306464626335616262613135363464306135623738303631376562 +32386262663934653565316334353630356537363734396131323264353636663438636365396231 +62336664353938326434646261626466333030333133643265633439313339383661323162336666 +36616136303433396438363062646135616239663461343039646563653638363734333866326666 +39633639336530333637626631626132333066633464376137393937353166343663373564393438 +32326635326431396130653864666239343466636435303730306162336637333032643233633833 +33323165386135386131336430666437663365626266646466616132373133613536623365333766 +61363764303361393438373333616233393030373631323565373563343031326431396239393362 +35623039626435643637353161633037396130616332623733353138613835626539616166613831 +34306663303832646165336363393837626361316433316231646439343265323634383132303930 +38316661333462373033363135363038616136373239333961313039363735303333616561666631 +38386436326566616438306536316432343233613833663632396561313831326432323463626433 +66653733623935333031646632393936343130316565376662353866346632393736326235323430 +31636633633631313732346662356539626638343032383937346134326137623462316531376561 +35386565623661393865623035386534336537623932336533393230323239626132613432373964 +33656539393861626265646565383038396330323762353235666637383134353839666531623862 +39646437393665373035306564636335306136356463316464303566353938303535343235646466 +64306262356135373434643862636363396433663833333063383731613136663038313531353263 +64376131396337393634383136623732666531373136373631643336663766376436633538643461 +64633865346634616366616661323062653431303632313464316335386535363237356339616130 +34666131383164616664326331356337336637353664353965356332626437323430313565653236 +61323534633137376166383831366263366438623735376264356136353136343434613835373461 +38613139373335653935643663363438653139303037646366303530386339323634373665623032 +30656536373530383539376233316334333233353536633963323334313862353334613832363662 +64663939356465333435356231633832653764303862646433333563666237326463663931383238 +62303062663366363932666130373737643137303739383636616466316363396134376365346331 +64353566383066393737346162313264653736626239376134373964613162323231313462313262 +65376338333439363762323837373262633835643465313130316164643838656364313166616530 +35363436346137333862376632646235643332636662333464366337653064643036386533363030 +33393837323632646163383539343164653433623038306261356534623862636232333836363431 +36353831353637383864643130653838663164646232626637353031386561636535666236356665 +36376330333937646164303333643962383862336433313433626434636133343836313730346462 +39643535323063326364656439316232383430663364383961643961633431326464306639383038 +62356430373630373836326266376230373135326531336464663338303438323836376365636534 +36663532343035303738346564383166326665396363633239623863353662316336653765323632 +34336538663637643535636530666639353864643733376635626133666461613338343039623462 +38356338373732396635663733333465363433663436623938633565623964653765346165393334 +34373666623035353966323433663961333663303162623337306539653739663834356566353164 +65343738663161353964386237306234643836323365626133393134666566363961653836623634 +38356666396161633932363536663732376330343661343763623435663836303032396535616531 +34313730626334316139613839336430346163643933386366306464313266316530363934303032 +62353434346238386536306133366262643061623436636666643735643039613665316436616533 +30666332633764313063383663663830633430646365383532656236363039643633353736346338 +39323935333536643737396331623431633365343064373330386363313632663933386639376236 +62316333303663343933303237353738333739643036666365623834646665623733623239643265 +30373966336538616135666339303030626164316563326530383731333839383133366332346331 +37306238623132313235666434633135383034653264666134633566373436396133313764306335 +63346435393464623332386134303766363061333361643930363335636164353038626464303633 +64356437623536376662363566623465306634313534333930333066346532323066323335313934 +39663635646664616335393330383865313639393732613034303163363665316337356439656634 +39373163306539346433313765623665353461363866643431633236643137353362613337643266 +63376631316365326634386166666361343733623638613163666564653762663839356461633132 +31666437663535633037393432316463326237356634353631306464663337626136383933386263 +61373562323836343137356162363237366261376662613133623839393932366139636336396365 +61636237386463633635663338303364666462326436396265366563626130316637623630306263 +35386636613161636565356166666463336465643533386166663766306530623162616362376437 +30613466313963323236353533616130656532643130616366333064636435323132386431633532 +35393731623235396464336365326262373131366633333666363636616632653238616165343466 +34333032633062366239636634336563303031653037613237353064656433663361306230313236 +64306430633464306339636436306562376430646535663162383363666666366236653965613030 +65613836326661323338303964393763346336303065346263386462343661363635373337356130 +65323661336165613563663931343365663064613362633632333039663065633162343830356538 +37376566326331633236633235623537653332313464623564616433323134646135333436656563 +65393737623033316535643230386462333736353866306136313833303631353465363363653035 +61376563653266393062616163333164303035386464643536343931663464313831333065306261 +64393237396138363863323862393230393837363062393138663734383566616238323332333636 +34616634383561326337363739346337623362313131353362323461343335636265303262653836 +36383930303436353066356133636133646439346132636162303462346164663162666331643464 +63393765393634366431306663643863613666313063326231346637623936616431633332343738 +32663666616236346664636563346634323730653239643561343833623936323539303433623839 +37333031316331336435353764643861343134323934626433336666613466353538323332383339 +38353330313066626335356439663835626266623234356636613666383734356166656262373264 +33343336303164366635363162386161663930343836343238376133353839643539333166663566 +62316634633762303464363562303333633732326563646231313933363531343164333836616439 +36353935353532383439366534306564643061613062356433633338386133366535663631313762 +39373032396465393962373038623231313232343661353164393235326266613035613063343136 +63356337323363383761323138396333373066336664616665636434656362376661613034383437 +35336330663836363464643765643566663436326665313561656364353733356531363863623261 +30303138396562633564353764366239656636396632313235326237316538323765663336386632 +34326139313064643834393366316561653664313066383263623739373162643865643035373365 +64366335396132396330303339316361393439636363343034373736663565323230653963336435 +61306538613133313165376562616561663733313839366434376634343236313034306235383733 +38346666376530386231353534393863386566633235323762363635363062323762316130303865 +61313362623765613065303362663837376463393432663839373766326537356536666465386463 +34663266363261623735386565383466313732346366666635663366613032363762386637346636 +34386662626266656465393234306566373462633930323562336631306531663130656132353939 +35613730393762313931383532646530633836313961326461336131656631663137656635343238 +35383533323738316134656666393136633732323536363636646166393530373233613264373761 +39303463663130386338353637373739373331613739353561303636316665323533616634666639 +33303835336431376363336364646165626139353061633339616437326264646434626463383239 +39376332613766383232336339366332616334356630626463373435623165303832393465376334 +33343163356333663266386236356463356335333964333733386439623063656462613561323163 +34623937383765643461623035343930363336323863356461313034623733303734396238363463 +65383366366565323439316230383363366539666434656364633366333936376361326131313530 +38363161666439643236313063626564393932646536626361396234396333643165346638323037 +38633638646331333664633562353632316133303764316262653261303561366333663062623037 +62356565363433646435643231343231333863303439393335336633316638383863343438353262 +37616539306537613831373462323238363262623365366536653233366231343864643931653463 +61396238663064376166643537646132646665663565323939373632353665356337363538326238 +62323363346532613665653161366235303661363263363836313739326134373264396131633262 +32343135633436353038313335346338663934386436316262623731313334346230356630336333 +62353539383031393339623164333763306338346133383462653534346334346434633831353163 +32386436653863666533323233363663643933396636386334343962313038363933303263346135 +33613337653237323339313233346638393635366136373432353031653432376639663638353161 +30626536386465323136643764663661373863353965623431393562393630333333643631303030 +36383938666239336530643731653963383131623333393638366235383861306163303235353538 +65646264646339663264376161346563663965353837333331333739376336623934623335343234 +36633234326231393232356539383661353431363531653230386637386334613138373038326432 +36356633663565383035373934363132303633646563646236363866626531663534313964373732 +35623034623335396365653134316331346664633439643966363932356664666331306631373630 +66653565666562323366363732626234363165313932326630666537373462303539396139396431 +36653438613337356536643863376234386463363130636535396536363234616162663961326431 +36613034383234326239353337376633616364323564326563353239363739363430383230353162 +64343638623637303334396164343032363735643965393861363537663962316339303936396230 +32613937303931383665313464643862653561646539363039643038653838323434386337306235 +31636166623933616163363366386263663461316136393932313962343836393565623031366362 +34643237353264343665363566393534656436636138303835656534303763346661663338626664 +37656462393438653830343964646537363038376531636330653264306363303061653231356566 +36323864626233656431303737376131383634353337323633323132646338303766323933373930 +64613835643932336430626261323862636536356265313862383361336365373464313036396238 +62386664336362303565373736373735363061323963333664386366353139303562656465306632 +63376363343664346531653035656538356466626163366130666363666132663961353461363066 +31303335663839663365326539316362663935303237333234353431363063333163613461306539 +64313364363634643434643630613338353564656639626232343063623933323835623534613864 +31316162663137386534643036353238636231303336613334613663386462623365366439326232 +31623163396531336337663839376335376231326466633230376630343936663732356663376465 +39363965303331383265323263613964376361643465316430363565383235333430373566393635 +34343464323664373136656463663461663834656263303639313262626530383534346364306231 +31326565353535653637626166616365393230626539366562666538306235343561343439616661 +31356366666265353666343964303433303237636265666365393361353762303231366165626535 +32363230383231356264646363613030363538303161313534313932383865313166393132393235 +38333332653537663630303639653533343737346531393864613836666438656632303937313433 +39653136316366353133333537376361633961653735363064666665623135613565363564646263 +62643932336465363537363130626262333363303365336464656139643034363031356632613565 +61343138323734313537386466313463393836376363383562646537383237666635353936383637 +36393237333334633762376534623233376338623339613736613032333435303930626261343830 +66663531666566316637386637353136613632623563633664613739336134313432646534303530 +39366139326633383033353065306464316636646535383535663663366331633036393661326361 +32656330323365623739373765643835333830393033363836666439333337356465383364303431 +61336562613634663033643963376635393063623435663162643838663762303533353665646361 +62386662376163333637343934613763303363616135306230356135613561646630316330353438 +61633234316534353030616138343165633565643366613763653039636466343866376433646132 +63343930333933336338393361623866613765393164623838306637323863366263653133326634 +38653334653430643862383136373432643463343232613161306638336237376236633435653833 +64316363643838333965323163303236346238383964643132643836633161396565323437313636 +34623763353237313863646439343662326634613466653462323163666333633031626131383262 +64336662396134633334376362333165666430646561333730336635356433323234303862343130 +31393933326539336666386364643532363930336636626132396136623066386132656165343530 +39656430373039343634623064623930643037666565346164343632323839383038616630303332 +38383162646564643037386530386366306532303032643939373563306165363934633532656137 +66626635626130336563353737366531613862656231643265346630343633343632333233616162 +39623262646432313865333531383461346664383330393631636431333064306635316431633239 +66393035313763633635643438376235323537633734353961373635376139633234316334363563 +30386263376664646361333435363935363033636665393737333262636464313733656339316539 +65313830396233376464613631333664633635393235626232373133363466323230626363396238 +30353164663663643835653434386136613566363635393039653637623465616136353932663164 +66663763326665636138323366373931376137323334653363303038616363613763313261613836 +33323935616366366462636135366439613539643238393962623864386433373862326566633035 +38393332663131306337386632636464633938303561336537623363346465613033363861646361 +32653839326631323561363430343038666366613330313363363735353465333563663038376631 +62666635326438323564 -- 2.45.2 From 5740b64b1e683e27e2eebde8a397ffff5d92fe35 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 04:59:42 +0200 Subject: [PATCH 18/44] hosts: add ns-{1,2,master} to inventory --- hosts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hosts b/hosts index dad5398..deba475 100644 --- a/hosts +++ b/hosts @@ -69,6 +69,7 @@ switchs-manager.adm.auro.re ldap-replica-ovh.adm.auro.re prometheus-ovh.adm.auro.re prometheus-federate.adm.auro.re +ns-2.auro.re [ovh_testing_vm] #re2o-test.adm.auro.re @@ -90,6 +91,8 @@ dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re dns-fleming-backup.adm.auro.re prometheus-fleming.adm.auro.re +ns-1.auro.re +ns-master.int.infra.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re radius-fleming-backup.adm.auro.re -- 2.45.2 From b34c232904222333d809abbdd551e7a3f0c19d47 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 05:00:28 +0200 Subject: [PATCH 19/44] playbooks: WIP: add knotd playbook --- playbooks/knotd.yml | 414 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 414 insertions(+) create mode 100755 playbooks/knotd.yml diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml new file mode 100755 index 0000000..e28f686 --- /dev/null +++ b/playbooks/knotd.yml @@ -0,0 +1,414 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: ns-master.int.infra.auro.re + vars: + knotd__listen: + - address: 0.0.0.0 + - address: "::" + knotd__keys: + xfr: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_xfr_key }}" + ksk-infra: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_ksk_infra_key }}" + update-acme-challenge: + algorithm: hmac-sha512 + secret: "{{ vault_certbot_dns_secret }}" + knotd__remotes: + xfr-ns-1: + address: 10.128.0.199 + key: xfr + xfr-ns-2: + address: 10.128.0.109 + key: xfr + ksk-infra: + address: ::1 + key: ksk-infra + knotd__policies: + public: + algorithm: ECDSAP256SHA256 + reproducible_signing: true + # Je n'ai pas trouvé de façon de pousser les records automatiquement + # sur .re, donc pour éviter d'oublier de le faire manuellement, la + # KSK n'expire pas + ksk_lifetime: 0 + zsk_lifetime: 30d + nsec3: true + infra: + algorithm: ECDSAP256SHA256 + ksk_lifetime: 365d + zsk_lifetime: 30d + nsec3: on + ds-push: ksk-infra + cds-cdnskey-publish: rollover + ksk-submission: infra + ripe: + algorithm: ECDSAP256SHA256 + ksk_lifetime: 365d + zsk_lifetime: 30d + nsec3: on + ds-push: ksk-ripe + cds-cdnskey-publish: rollover + ksk-submission: ripe + knotd__acl: + xfr: + addresses: + - 10.128.0.199 + - 2a09:6840:128::199 + - 10.128.0.109 + - 2a09:6840:128::109 + action: transfer + key: xfr + ksk-infra: + address: + - 127.0.0.1 + - ::1 + key: ksk-infra + action: update + update_types: + - DS + update_owner: name + update_owner_match: equal + update_owner_name: + - infra + update-acme-challenge: + key: update-acme-challenge + action: update + update_types: + - TXT + update_owner: name + update_owner_match: equal + update_owner_name: + - _acme-challenge.auro.re. + - _acme-challenge.mail.auro.re. + - _acme-challenge.smtp.auro.re. + - _acme-challenge.imap.auro.re. + - _acme-challenge.jitsi.auro.re. + knotd__queryacl: + local: + addresses: + - 10.0.0.0/8 + knotd__soa_rname: root@auro.re. + # TODO: Netbox + knotd__hosts: + auro.re: + proxy-ovh: + - 92.222.211.195 + horus: + - 92.23.218.136 + ns-1: + - 45.66.111.30 + - 2a09:6840:111::30 + ns-2: + - 92.222.211.194 + serge: + - 92.222.211.196 + lama: + - 185.230.78.220 + - 2a0c:700:12:0:67:e5ff:fee9:108 + vpn-ovh: + - 92.222.211.197 + passerelle: + - 45.66.111.254 + - 2a09:6840:111::254 + proxy: + - 45.66.111.61 + - 2a09:6840:111::61 + camelot: + - 45.66.111.59 + - 2a09:6840:111::59 + mail: + - 45.66.111.62 + - 2a09:6840:111::62 + galene: + - 45.66.111.65 + - 2a09:6840:111::65 + aclyas: + - 45.66.111.231 + - 2a09:6840:111::231 + jitsi: + - 45.66.111.55 + - 2a09:6840:111::55 + portail-fleming: + - 10.13.0.247 + - 2a09:6840:13::247 + portail-pacaterie: + - 10.23.0.247 + - 2a09:6840:23::247 + portail-rives: + - 10.33.0.247 + - 2a09:6840:33::247 + portail-edc: + - 10.43.0.247 + - 2a09:6840:43::247 + portail-gs: + - 10.53.0.247 + - 2a09:6840:53::247 + knotd__zones: + auro.re: + dnssec_policy: public + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - update-acme-challenge + - ksk-infra + - xfr + soa: + mname: ns-master.int.infra + ns: + - target: + - ns-1 + - ns-2 + - name: infra + target: + - ns-1 + - ns-2 + - name: adm + target: + - serge + - lama + - name: ups + target: + - serge + - lama + - name: switch + target: + - serge + - lama + - name: borne + target: + - serge + - lama + mx: + - exchange: mail + preference: 5 + - exchange: proxy-ovh + preference: 10 + spf: + - data: v=spf1 mx -all + a: + - address: 92.222.211.195 + cname: + - name: + - element + - riot + - auth + - rss + - codimd + - hedgedoc + - kanboard + - www + - pad + - privatebin + - zero + - paste + - hétérogénéité + target: proxy-ovh + - name: + - grafana + - netbox + - wiki + - matrix + - drone + - gitea + - re2o + - nextcloud + target: proxy + - name: intranet + target: re2o + - name: + - smtp + - imap + target: mail + hosts: "{{ knotd__hosts['auro.re'] }}" + infra.auro.re: + dnssec_policy: infra + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + #queryacl: local + soa: + mname: ns-master.int + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + hosts: + services-1.ceph: + - 10.132.1.1 + - "2a09:6840:132:1:1::" + services-2.ceph: + - 10.132.1.2 + - "2a09:6840:132:1:2::" + services-3.ceph: + - 10.132.1.3 + - "2a09:6840:132:1:3::" + ns-master.int: + - 10.128.0.110 + - "2a09:6840:128:0::110" + ec-1.ups: + - 10.131.4.1 + - 2a09:6840:131::4:1 + ec-2.ups: + - 10.131.4.2 + - 2a09:6840:131::4:2 + 108.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + 109.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + 110.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + 111.66.45.in-addr.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + ptr: + - name: "1" + target: x.auro.re. + - name: "2" + target: y.auro.re. + reverse_hosts: "{{ knotd__hosts['auro.re'] + | ip_filter(['45.66.111.0/24']) + | add_origin_keys('auro.re.') }}" + 4.8.6.9.0.a.2.ip6.arpa: + dnssec_policy: ripe + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + soa: + mname: ns-master.int.infra.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + #reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'}, + # vlan_suffixes=nb__dns_vlan_suffixes) }}" + #hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'}, + # vlan_suffixes=nb__dns_vlan_suffixes) }}" + #nb_dns__vlan_suffixes: + # external-services: ext.infra.auro.re. + # wifi-access-points: wifi.infra.auro.re. + # monitoring: monit.infra.auro.re. + # routers: rtr.infra.auro.re. + # services-ceph: ceph.infra.auro.re. + # ups: ups.infra.auro.re. + # switchs: sw.infra.auro.re. + # internal-services: int.infra.auro.re. + # bmc: bmc.infra.auro.re. + roles: + - knotd + +- hosts: + - ns-1.auro.re + - ns-2.auro.re + vars: + knotd__listen: + - address: 0.0.0.0 + - address: "::" + knotd__keys: + xfr: + algorithm: hmac-sha512 + secret: "{{ vault_knotd_xfr_key }}" + knotd__remotes: + xfr-master: + address: 10.128.0.110 + key: xfr + knotd__acl: + notify-master: + address: + - 10.128.0.110 + - 2a09:6840:128::110 + key: xfr + action: notify + knotd__queryacl: + local: + addresses: + - 10.0.0.0/8 + knotd__zones: + auro.re: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + infra.auro.re: + dnssec_validation: false + acl: + - notify-master + #queryacl: local + master: xfr-master + 108.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 109.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 110.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 111.66.45.in-addr.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + 4.8.6.9.0.a.2.ip6.arpa: + dnssec_validation: false + acl: + - notify-master + master: xfr-master + roles: + - knotd +... -- 2.45.2 From 5542e63d14973875d288665c20752929c9968449 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 05:06:59 +0200 Subject: [PATCH 20/44] add filter_plugins path in ansible.cfg --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index a43566c..9390932 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -4,6 +4,7 @@ roles_path = ./roles retry_files_enabled = False inventory = ./hosts library = ./library +filter_plugins = ./filter_plugins ansible_managed = Ansible managed, modified on %Y-%m-%d %H:%M:%S nocows = 1 forks = 15 -- 2.45.2 From 6f32c9bc2c0b80791e70cbb3d9a9ba2519d4bdb2 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 15:52:06 +0200 Subject: [PATCH 21/44] knotd: do not try to load zone file of slave zones --- roles/knotd/templates/knot.conf.j2 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/roles/knotd/templates/knot.conf.j2 b/roles/knotd/templates/knot.conf.j2 index 5ce8bdc..5043156 100644 --- a/roles/knotd/templates/knot.conf.j2 +++ b/roles/knotd/templates/knot.conf.j2 @@ -104,10 +104,7 @@ template: - id: default storage: "{{ knotd__zones_dir }}" file: "%s.zone" - semantic-checks: {{ knotd__semantic_checks - | ternary("on", "off") }} zonefile-sync: -1 - zonefile-load: difference-no-serial journal-content: changes journal-content: all serial-policy: {{ knotd__serial_policy }} @@ -128,6 +125,11 @@ zone: {% endif %} {% if zone.master is defined %} master: {{ zone.master }} + zonefile-load: none +{% else %} + zonefile-load: difference-no-serial + semantic-checks: {{ knotd__semantic_checks + | ternary("on", "off") }} {% endif %} {% if zone.dnssec_policy is defined %} dnssec-policy: {{ zone.dnssec_policy }} -- 2.45.2 From 8d92035a814044c35dfbc26c519b99418e2eaf3a Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 15:54:03 +0200 Subject: [PATCH 22/44] playbooks: add adh.auro.re --- playbooks/knotd.yml | 89 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 79 insertions(+), 10 deletions(-) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index e28f686..ddb3728 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -145,6 +145,60 @@ portail-gs: - 10.53.0.247 - 2a09:6840:53::247 + adh.auro.re: + hoffman: + - 45.66.110.1 + - 2a09:6840:110:0:2d8:61ff:fe56:d7eb + hindley: + - 45.66.110.3 + - 2a09:6840:110:0:a6ba:dbff:fe03:1f36 + yberreby: + - 45.66.110.5 + - 2a09:6840:110:0:d896:1dff:fe59:8381 + paon: + - 45.66.110.10 + - 2a09:6840:110:0:231:92ff:fe1b:ae22 + lovelace: + - 45.66.110.45 + - 2a09:6840:110:0:c634:6bff:feb5:7bcc + switch-leo: + - 45.66.110.103 + - 2a09:6840:110:0:82cc:9cff:fe82:ca3e + haskell: + - 45.66.110.112 + - 2a09:6840:110:0:f4ac:cbff:fe81:7f48 + lyshyga0: + - 45.66.110.113 + - 2a09:6840:110:0:6af7:28ff:fe91:e8d9 + pz28910: + - 45.66.110.114 + vinsing0: + - 45.66.110.123 + - 2a09:6840:110:0:1e1b:dff:fe90:7d81 + osc-routeur: + - 45.66.110.125 + - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1 + odroid: + - 45.66.110.154 + - 2a09:6840:110:0:21e:6ff:fe49:e00 + amau0: + - 45.66.110.164 + - 2a09:6840:110:0:3e7c:3fff:fec3:27d1 + regulus: + - 45.66.110.180 + - 2a09:6840:110:0:2ef0:5dff:fe2a:1530 + toaster: + - 45.66.110.188 + - 2a09:6840:110:0:5246:5dff:fe9a:f70 + rpijutax: + - 45.66.110.190 + - 2a09:6840:110:0:ba27:ebff:fe76:a9bc + lafeychine: + - 45.66.110.200 + - 2a09:6840:110:0:46a5:6eff:fe71:1 + polaris: + - 45.66.110.245 + - 2a09:6840:110:0:dea6:32ff:feb4:d033 knotd__zones: auro.re: dnssec_policy: public @@ -222,7 +276,18 @@ - smtp - imap target: mail - hosts: "{{ knotd__hosts['auro.re'] }}" + - name: + - prometheus-paul.adh + - pma-paul.adh + - nextcloud-paul.adh + - grafana-paul.adh + - jellyfin-paul.adh + - monitoring.adh + - beta-mpp.adh + target: pz28910.adh + hosts: "{{ knotd__hosts['auro.re'] + | combine(knotd__hosts['adh.auro.re'] + | add_origin_keys('adh.auro.re.')) }}" infra.auro.re: dnssec_policy: infra notify: @@ -295,6 +360,9 @@ - target: - ns-1.auro.re. - ns-2.auro.re. + reverse_hosts: "{{ knotd__hosts['adh.auro.re'] + | ip_filter(['45.66.110.0/24']) + | add_origin_keys('adh.auro.re.') }}" 111.66.45.in-addr.arpa: dnssec_policy: ripe notify: @@ -308,15 +376,10 @@ - target: - ns-1.auro.re. - ns-2.auro.re. - ptr: - - name: "1" - target: x.auro.re. - - name: "2" - target: y.auro.re. reverse_hosts: "{{ knotd__hosts['auro.re'] | ip_filter(['45.66.111.0/24']) | add_origin_keys('auro.re.') }}" - 4.8.6.9.0.a.2.ip6.arpa: + 0.4.8.6.9.0.a.2.ip6.arpa: dnssec_policy: ripe notify: - xfr-ns-1 @@ -329,6 +392,12 @@ - target: - ns-1.auro.re. - ns-2.auro.re. + reverse_hosts: "{{ knotd__hosts['auro.re'] + | ip_filter(['2a09:6840::/32']) + | add_origin_keys('auro.re.') + | combine(knotd__hosts['adh.auro.re'] + | ip_filter(['2a09:6840::/32']) + | add_origin_keys('adh.auro.re.')) }}" #reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'}, # vlan_suffixes=nb__dns_vlan_suffixes) }}" #hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'}, @@ -374,12 +443,12 @@ - 10.0.0.0/8 knotd__zones: auro.re: - dnssec_validation: false + dnssec_validation: true acl: - notify-master master: xfr-master infra.auro.re: - dnssec_validation: false + dnssec_validation: true acl: - notify-master #queryacl: local @@ -404,7 +473,7 @@ acl: - notify-master master: xfr-master - 4.8.6.9.0.a.2.ip6.arpa: + 0.4.8.6.9.0.a.2.ip6.arpa: dnssec_validation: false acl: - notify-master -- 2.45.2 From 4446c2c47e6dd72c5b2c0f6ceef62d41fd0b72ae Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 21:50:15 +0200 Subject: [PATCH 23/44] dns_zone: do not relativize zone file --- library/dns_zone.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index f61af00..28c3a6f 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -379,7 +379,7 @@ def main() -> int: changed = current is None or not zones_eq(zone, current) if changed: - zone.to_file(module.params["path"], relativize=True, sorted=True) + zone.to_file(module.params["path"], relativize=False, sorted=True) changed = module.set_fs_attributes_if_different(file_args, changed) -- 2.45.2 From c1833e77b3af5228b78f34126158d0a78e818d03 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 21:50:43 +0200 Subject: [PATCH 24/44] playbooks: various fixes for knotd.yml --- playbooks/knotd.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index ddb3728..0631314 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -61,7 +61,7 @@ action: transfer key: xfr ksk-infra: - address: + addresses: - 127.0.0.1 - ::1 key: ksk-infra @@ -73,6 +73,9 @@ update_owner_name: - infra update-acme-challenge: + addresses: + - 10.128.0.0/16 + - 2a09:6840:128::/48 key: update-acme-challenge action: update update_types: @@ -81,10 +84,6 @@ update_owner_match: equal update_owner_name: - _acme-challenge.auro.re. - - _acme-challenge.mail.auro.re. - - _acme-challenge.smtp.auro.re. - - _acme-challenge.imap.auro.re. - - _acme-challenge.jitsi.auro.re. knotd__queryacl: local: addresses: @@ -281,7 +280,7 @@ - pma-paul.adh - nextcloud-paul.adh - grafana-paul.adh - - jellyfin-paul.adh + - jellyfin.adh - monitoring.adh - beta-mpp.adh target: pz28910.adh -- 2.45.2 From 2389367582dfa621d2bd4f146e26d6513a84b736 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 19 Aug 2022 22:35:29 +0200 Subject: [PATCH 25/44] playbooks: add isp.auro.re --- playbooks/knotd.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 0631314..0f14df8 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -218,6 +218,10 @@ target: - ns-1 - ns-2 + - name: isp + target: + - ns-1 + - ns-2 - name: adm target: - serge @@ -320,6 +324,27 @@ ec-2.ups: - 10.131.4.2 - 2a09:6840:131::4:2 + isp.auro.re: + dnssec_policy: infra + notify: + - xfr-ns-1 + - xfr-ns-2 + acl: + - xfr + #queryacl: local + soa: + mname: ns-master.int.auro.re. + ns: + - target: + - ns-1.auro.re. + - ns-2.auro.re. + hosts: + dhcp-1: + - 10.128.0.204 + - 2a09:6840:128::204 + dhcp-2: + - 10.128.0.91 + - 2a09:6840:128::91 108.66.45.in-addr.arpa: dnssec_policy: ripe notify: @@ -452,6 +477,11 @@ - notify-master #queryacl: local master: xfr-master + isp.auro.re: + dnssec_validation: true + acl: + - notify-master + master: xfr-master 108.66.45.in-addr.arpa: dnssec_validation: false acl: -- 2.45.2 From 426296d8bd25a51c04cc6afe14befc734c4bf366 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 20 Aug 2022 04:34:28 +0200 Subject: [PATCH 26/44] knotd: fix typo --- roles/knotd/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/knotd/tasks/main.yml b/roles/knotd/tasks/main.yml index 5fee857..c728175 100644 --- a/roles/knotd/tasks/main.yml +++ b/roles/knotd/tasks/main.yml @@ -32,8 +32,8 @@ origin: "{{ item.key }}" soa: mname: "{{ item.value.soa.mname }}" - rname: "{{ item.value.soa.rname | default(knotd__soa_rname - | default(omit)) }}" + rname: "{{ item.value.soa.rname | default(knotd__soa_rname) + | default(omit) }}" refresh: "{{ item.value.soa.refresh | default(knotd__soa_refresh) | community.general.to_seconds | int }}" retry: "{{ item.value.soa.retry | default(knotd__soa_retry) -- 2.45.2 From d5ab886dd4ba2ca67b8a2e77143e4ab57a425350 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 20 Aug 2022 04:34:47 +0200 Subject: [PATCH 27/44] dns_zone: add support for diff and check modes --- library/dns_zone.py | 51 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 12 deletions(-) diff --git a/library/dns_zone.py b/library/dns_zone.py index 28c3a6f..b8ebced 100755 --- a/library/dns_zone.py +++ b/library/dns_zone.py @@ -308,6 +308,41 @@ def zones_eq(lhs: dns.zone.Zone, rhs: dns.zone.Zone) -> bool: ) +def write_text_file(path, text, module): + """Naive text file write function with support for Ansible's diff and + check modes.""" + diff_text = { + "before_header": f"{path} (content)", + "after_header": f"{path} (content)", + "after": text, + } + + try: + with open(path) as f: + current = f.read() + changed = text != current + diff_text["before"] = current + except Exception: + changed = True + diff_text["before"] = None + + if changed and not module.check_mode: + with open(path, "w") as f: + f.write(text) + + file_args = module.load_file_common_arguments(module.params) + diff_attrs = { + "before_header": f"{path} (attributes)", + "after_header": f"{path} (attributes)", + } + + changed = module.set_file_attributes_if_different( + file_args, changed, diff_attrs + ) + + return changed, [diff_text, diff_attrs] + + def main() -> int: record_types = { @@ -345,6 +380,7 @@ def main() -> int: module = AnsibleModule( argument_spec=module_args, add_file_common_args=True, + supports_check_mode=True, ) origin = dns.name.from_text(module.params["origin"]) @@ -352,11 +388,6 @@ def main() -> int: zone = dns.zone.Zone(origin) - try: - current = dns.zone.from_file(path, origin=origin) - except Exception: - current = None - records = itertools.chain( make_records(module.params["soa"], SOA), make_reverse_hosts_records(module.params["reverse_hosts"]), @@ -375,15 +406,11 @@ def main() -> int: dataset = node.get_rdataset(rdata.rdclass, rdata.rdtype, create=True) dataset.add(rdata) - file_args = module.load_file_common_arguments(module.params) + zone_text = zone.to_text(relativize=False, sorted=True) - changed = current is None or not zones_eq(zone, current) - if changed: - zone.to_file(module.params["path"], relativize=False, sorted=True) + changed, diff = write_text_file(path, zone_text, module) - changed = module.set_fs_attributes_if_different(file_args, changed) - - module.exit_json(changed=changed) + module.exit_json(changed=changed, diff=diff) return 0 -- 2.45.2 From 4d82018f62aab6e0018abb30a8768e130094580f Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 20 Aug 2022 19:08:33 +0200 Subject: [PATCH 28/44] knotd + hosts: add ldap-1 --- hosts | 1 + playbooks/knotd.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/hosts b/hosts index deba475..08340a7 100644 --- a/hosts +++ b/hosts @@ -93,6 +93,7 @@ dns-fleming-backup.adm.auro.re prometheus-fleming.adm.auro.re ns-1.auro.re ns-master.int.infra.auro.re +ldap-1.int.infra.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re radius-fleming-backup.adm.auro.re diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 0f14df8..975dfcd 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -324,6 +324,9 @@ ec-2.ups: - 10.131.4.2 - 2a09:6840:131::4:2 + ldap-1.int: + - 10.128.0.10 + - 2a09:6840:128::10 isp.auro.re: dnssec_policy: infra notify: -- 2.45.2 From 874f75d47d9f8ff26e06d7b96e80a76332b3ae7b Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 20 Aug 2022 19:09:35 +0200 Subject: [PATCH 29/44] dns_zone: add requirements.txt --- requirements.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 requirements.txt diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..2f73596 --- /dev/null +++ b/requirements.txt @@ -0,0 +1 @@ +dnspython -- 2.45.2 From 32163074042c46bfc1d0b12f4d360e0803f33feb Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 25 Aug 2022 20:44:06 +0200 Subject: [PATCH 30/44] Add pz28.adh.auro.re --- playbooks/knotd.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 975dfcd..fad2cb3 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -198,6 +198,8 @@ polaris: - 45.66.110.245 - 2a09:6840:110:0:dea6:32ff:feb4:d033 + pz28: + - 109.209.83.178 knotd__zones: auro.re: dnssec_policy: public @@ -287,7 +289,7 @@ - jellyfin.adh - monitoring.adh - beta-mpp.adh - target: pz28910.adh + target: pz28.adh hosts: "{{ knotd__hosts['auro.re'] | combine(knotd__hosts['adh.auro.re'] | add_origin_keys('adh.auro.re.')) }}" -- 2.45.2 From 50b0e023dc47b080f9585fd79279cbcde98d08fc Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 25 Aug 2022 20:52:48 +0200 Subject: [PATCH 31/44] Add ntp-1.int --- playbooks/knotd.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index fad2cb3..cf03570 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -329,6 +329,9 @@ ldap-1.int: - 10.128.0.10 - 2a09:6840:128::10 + ntp-1.int: + - 10.128.0.203 + - 2a09:6840:128::203 isp.auro.re: dnssec_policy: infra notify: -- 2.45.2 From cdc68cedd58620c2148217532acbd1017bc348a4 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 01:51:33 +0200 Subject: [PATCH 32/44] knotd: add dns-1.int --- hosts | 2 +- playbooks/knotd.yml | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts b/hosts index 08340a7..8c1f174 100644 --- a/hosts +++ b/hosts @@ -91,8 +91,8 @@ dhcp-fleming-backup.adm.auro.re dns-fleming.adm.auro.re dns-fleming-backup.adm.auro.re prometheus-fleming.adm.auro.re -ns-1.auro.re ns-master.int.infra.auro.re +dns-1.int.infra.auro.re ldap-1.int.infra.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index cf03570..075aa64 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -332,6 +332,9 @@ ntp-1.int: - 10.128.0.203 - 2a09:6840:128::203 + dns-1.int: + - 10.128.0.127 + - 2a09:6840:128::127 isp.auro.re: dnssec_policy: infra notify: -- 2.45.2 From 9fc0aa1fe83f3f7f0b7cb501b5b7b3b2bf71edfa Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 02:01:12 +0200 Subject: [PATCH 33/44] kresd: create role + playbook --- playbooks/kresd.yml | 22 ++++++++++++++++++++++ roles/kresd/defaults/main.yml | 4 ++++ roles/kresd/handlers/main.yml | 5 +++++ roles/kresd/tasks/main.yml | 21 +++++++++++++++++++++ roles/kresd/templates/kresd.conf.j2 | 21 +++++++++++++++++++++ 5 files changed, 73 insertions(+) create mode 100755 playbooks/kresd.yml create mode 100644 roles/kresd/defaults/main.yml create mode 100644 roles/kresd/handlers/main.yml create mode 100644 roles/kresd/tasks/main.yml create mode 100644 roles/kresd/templates/kresd.conf.j2 diff --git a/playbooks/kresd.yml b/playbooks/kresd.yml new file mode 100755 index 0000000..b39e3d9 --- /dev/null +++ b/playbooks/kresd.yml @@ -0,0 +1,22 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: + - dns-1.int.infra.auro.re + vars: + kresd__listen: + - address: 0.0.0.0 + port: 53 + kind: dns + - address: "::" + port: 53 + kind: dns + - address: 0.0.0.0 + port: 853 + kind: tls + - address: "::" + port: 853 + kind: tls + kresd__cache_size: 256 + roles: + - kresd +... diff --git a/roles/kresd/defaults/main.yml b/roles/kresd/defaults/main.yml new file mode 100644 index 0000000..e84d7a5 --- /dev/null +++ b/roles/kresd/defaults/main.yml @@ -0,0 +1,4 @@ +--- +kresd__listen: [] +kresd__freebind: true +kresd__cache_size: 128 diff --git a/roles/kresd/handlers/main.yml b/roles/kresd/handlers/main.yml new file mode 100644 index 0000000..a0262a5 --- /dev/null +++ b/roles/kresd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart kresd + systemd: + name: kresd@1.service + state: restarted diff --git a/roles/kresd/tasks/main.yml b/roles/kresd/tasks/main.yml new file mode 100644 index 0000000..7eacdf3 --- /dev/null +++ b/roles/kresd/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install knot-resolver + apt: + name: knot-resolver + +- name: Configure kresd + template: + src: kresd.conf.j2 + dest: /etc/knot-resolver/kresd.conf + owner: root + group: knot-resolver + mode: u=rw,g=r,o= + notify: + - Restart kresd + +- name: Enable and start kresd + systemd: + name: kresd@1.service + state: started + enabled: true +... diff --git a/roles/kresd/templates/kresd.conf.j2 b/roles/kresd/templates/kresd.conf.j2 new file mode 100644 index 0000000..c92309d --- /dev/null +++ b/roles/kresd/templates/kresd.conf.j2 @@ -0,0 +1,21 @@ +{{ ansible_managed | comment(decoration="-- ") }} + +{% for listen in kresd__listen %} +net.listen( + {{ listen.address | enquote }}, + {{ listen.port | int }}, + { + kind = {{ listen.kind | enquote }}, + freebind = {{ listen.freebind + | default(kresd__freebind) }}, + } +) +{% endfor %} + +modules = { + 'hints > iterate', + 'stats', + 'predict', +} + +cache.size = {{ kresd__cache_size | int }} * MB -- 2.45.2 From 2ff44c58b73ffbc4587cbc1e7f139ad7715b759c Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 02:23:01 +0200 Subject: [PATCH 34/44] add requirements.txt --- requirements.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 requirements.yml diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..6d2eac4 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,6 @@ +--- +collections: + - name: community.general + - name: community.postgresql + - name: ansible.utils +... -- 2.45.2 From 35087971c340cea0db4af86dc241193cd79833e2 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 26 Aug 2022 10:00:04 +0200 Subject: [PATCH 35/44] kresd: increase amount of cache --- playbooks/kresd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/kresd.yml b/playbooks/kresd.yml index b39e3d9..fb0f7da 100755 --- a/playbooks/kresd.yml +++ b/playbooks/kresd.yml @@ -16,7 +16,7 @@ - address: "::" port: 853 kind: tls - kresd__cache_size: 256 + kresd__cache_size: 512 roles: - kresd ... -- 2.45.2 From ec01fbde955efd2b0e9505d0d776085eb3c74487 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 05:15:16 +0200 Subject: [PATCH 36/44] hosts: add ns-1.auro.re --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index 8c1f174..44af504 100644 --- a/hosts +++ b/hosts @@ -93,6 +93,7 @@ dns-fleming-backup.adm.auro.re prometheus-fleming.adm.auro.re ns-master.int.infra.auro.re dns-1.int.infra.auro.re +ns-1.auro.re ldap-1.int.infra.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re -- 2.45.2 From 526eaf84d27eb6e7f7fe884b1c924bc42be1ebf8 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 05:15:35 +0200 Subject: [PATCH 37/44] knotd: add isp-1.rtr --- playbooks/knotd.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 075aa64..c194826 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -319,7 +319,7 @@ - "2a09:6840:132:1:3::" ns-master.int: - 10.128.0.110 - - "2a09:6840:128:0::110" + - 2a09:6840:128:0::110 ec-1.ups: - 10.131.4.1 - 2a09:6840:131::4:1 @@ -335,6 +335,9 @@ dns-1.int: - 10.128.0.127 - 2a09:6840:128::127 + isp-1.rtr: + - 10.128.0.255 + - 2a09:6840:128::255 isp.auro.re: dnssec_policy: infra notify: -- 2.45.2 From 138ffd6097ce196b8c12b13c5d5f4ba40a469cc4 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sat, 27 Aug 2022 05:33:54 +0200 Subject: [PATCH 38/44] knotd: add isp-2.rtr --- playbooks/knotd.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index c194826..f0a3171 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -338,6 +338,9 @@ isp-1.rtr: - 10.128.0.255 - 2a09:6840:128::255 + isp-2.rtr: + - 10.128.0.158 + - 2a09:6840:128::158 isp.auro.re: dnssec_policy: infra notify: -- 2.45.2 From 8f452c76aab1bc6a982c9f6d6c36918b2e769013 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Tue, 30 Aug 2022 13:48:17 +0200 Subject: [PATCH 39/44] Add radius-1.isp --- hosts | 1 + playbooks/knotd.yml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/hosts b/hosts index 44af504..9f4c2f4 100644 --- a/hosts +++ b/hosts @@ -95,6 +95,7 @@ ns-master.int.infra.auro.re dns-1.int.infra.auro.re ns-1.auro.re ldap-1.int.infra.auro.re +radius-1.isp.infra.auro.re #prometheus-fleming-fo.adm.auro.re radius-fleming.adm.auro.re radius-fleming-backup.adm.auro.re diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index f0a3171..7ba51dd 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -341,6 +341,9 @@ isp-2.rtr: - 10.128.0.158 - 2a09:6840:128::158 + radius-1.isp: + - 10.128.0.208 + - 2a09:6840:128::208 isp.auro.re: dnssec_policy: infra notify: -- 2.45.2 From e99f183743cb3ce7e859cb03d101c329920b929c Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 1 Sep 2022 13:45:40 +0200 Subject: [PATCH 40/44] knotd: replace A/AAAA to CNAME for pz28.adh Temporary fix until a dynamic DNS service is available. --- playbooks/knotd.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 7ba51dd..1d49b67 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -198,8 +198,6 @@ polaris: - 45.66.110.245 - 2a09:6840:110:0:dea6:32ff:feb4:d033 - pz28: - - 109.209.83.178 knotd__zones: auro.re: dnssec_policy: public @@ -289,7 +287,8 @@ - jellyfin.adh - monitoring.adh - beta-mpp.adh - target: pz28.adh + - pz28.adh + target: lucepaul.myvnc.com. hosts: "{{ knotd__hosts['auro.re'] | combine(knotd__hosts['adh.auro.re'] | add_origin_keys('adh.auro.re.')) }}" -- 2.45.2 From a15a05ce69131db927140075a3b7f71055b30b4b Mon Sep 17 00:00:00 2001 From: Jeltz Date: Sun, 4 Sep 2022 07:42:57 +0200 Subject: [PATCH 41/44] resolvconf: add defaults --- roles/resolvconf/defaults/main.yml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/resolvconf/defaults/main.yml diff --git a/roles/resolvconf/defaults/main.yml b/roles/resolvconf/defaults/main.yml new file mode 100644 index 0000000..ab42d6e --- /dev/null +++ b/roles/resolvconf/defaults/main.yml @@ -0,0 +1,3 @@ +--- +resolvconf__nameservers: [] +... -- 2.45.2 From d0175e961e6eafb1edc477c2e943696326adf922 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Wed, 28 Sep 2022 14:11:56 +0200 Subject: [PATCH 42/44] knotd: add services-{1..3}.pve.infra (+ CNAME pve) --- playbooks/knotd.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 1d49b67..8e84001 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -289,6 +289,15 @@ - beta-mpp.adh - pz28.adh target: lucepaul.myvnc.com. + - name: + - services-1.pve + target: services-1.pve.infra + - name: + - services-2.pve + target: services-2.pve.infra + - name: + - services-3.pve + target: services-3.pve.infra hosts: "{{ knotd__hosts['auro.re'] | combine(knotd__hosts['adh.auro.re'] | add_origin_keys('adh.auro.re.')) }}" @@ -316,6 +325,15 @@ services-3.ceph: - 10.132.1.3 - "2a09:6840:132:1:3::" + services-1.pve: + - 10.134.1.1 + - 2a09:6840:132:1:1::1 + services-2.pve: + - 10.134.1.2 + - 2a09:6840:132:1:2::1 + services-3.pve: + - 10.134.1.3 + - 2a09:6840:132:1:3::1 ns-master.int: - 10.128.0.110 - 2a09:6840:128:0::110 -- 2.45.2 From 0254b82356eceeff19dd014e131fa68e8d862690 Mon Sep 17 00:00:00 2001 From: Jeltz Date: Fri, 7 Oct 2022 21:34:58 +0200 Subject: [PATCH 43/44] Add edge-{1,2} --- playbooks/knotd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index 8e84001..b59b6cf 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -358,6 +358,12 @@ isp-2.rtr: - 10.128.0.158 - 2a09:6840:128::158 + edge-1.rtr: + - 10.128.0.186 + - 2a09:6840:128::186 + edge-2.rtr: + - 10.128.0.228 + - 2a09:6840:128::228 radius-1.isp: - 10.128.0.208 - 2a09:6840:128::208 -- 2.45.2 From 5a43708a879f7017fafc10377385b461afea71bf Mon Sep 17 00:00:00 2001 From: Jeltz Date: Thu, 22 Dec 2022 15:10:16 +0100 Subject: [PATCH 44/44] playbooks: add infra-{1,2}.rtr --- playbooks/knotd.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/playbooks/knotd.yml b/playbooks/knotd.yml index b59b6cf..f5e6b0f 100755 --- a/playbooks/knotd.yml +++ b/playbooks/knotd.yml @@ -364,6 +364,12 @@ edge-2.rtr: - 10.128.0.228 - 2a09:6840:128::228 + infra-1.rtr: + - 10.128.2.76 + - 2a09:6840:128::2:76 + infra-2.rtr: + - 10.128.2.27 + - 2a09:6840:128::2:27 radius-1.isp: - 10.128.0.208 - 2a09:6840:128::208 -- 2.45.2