Manage DNS servers using Ansible #93
1 changed files with 414 additions and 0 deletions
414
playbooks/knotd.yml
Executable file
414
playbooks/knotd.yml
Executable file
|
@ -0,0 +1,414 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: ns-master.int.infra.auro.re
|
||||
vars:
|
||||
knotd__listen:
|
||||
- address: 0.0.0.0
|
||||
- address: "::"
|
||||
knotd__keys:
|
||||
xfr:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_knotd_xfr_key }}"
|
||||
ksk-infra:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_knotd_ksk_infra_key }}"
|
||||
update-acme-challenge:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_certbot_dns_secret }}"
|
||||
knotd__remotes:
|
||||
xfr-ns-1:
|
||||
address: 10.128.0.199
|
||||
key: xfr
|
||||
xfr-ns-2:
|
||||
address: 10.128.0.109
|
||||
key: xfr
|
||||
ksk-infra:
|
||||
address: ::1
|
||||
key: ksk-infra
|
||||
knotd__policies:
|
||||
public:
|
||||
algorithm: ECDSAP256SHA256
|
||||
reproducible_signing: true
|
||||
# Je n'ai pas trouvé de façon de pousser les records automatiquement
|
||||
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
|
||||
# KSK n'expire pas
|
||||
ksk_lifetime: 0
|
||||
zsk_lifetime: 30d
|
||||
nsec3: true
|
||||
infra:
|
||||
algorithm: ECDSAP256SHA256
|
||||
ksk_lifetime: 365d
|
||||
zsk_lifetime: 30d
|
||||
nsec3: on
|
||||
ds-push: ksk-infra
|
||||
cds-cdnskey-publish: rollover
|
||||
ksk-submission: infra
|
||||
ripe:
|
||||
algorithm: ECDSAP256SHA256
|
||||
ksk_lifetime: 365d
|
||||
zsk_lifetime: 30d
|
||||
nsec3: on
|
||||
ds-push: ksk-ripe
|
||||
cds-cdnskey-publish: rollover
|
||||
ksk-submission: ripe
|
||||
knotd__acl:
|
||||
xfr:
|
||||
addresses:
|
||||
- 10.128.0.199
|
||||
- 2a09:6840:128::199
|
||||
- 10.128.0.109
|
||||
- 2a09:6840:128::109
|
||||
action: transfer
|
||||
key: xfr
|
||||
ksk-infra:
|
||||
address:
|
||||
- 127.0.0.1
|
||||
- ::1
|
||||
key: ksk-infra
|
||||
action: update
|
||||
update_types:
|
||||
- DS
|
||||
update_owner: name
|
||||
update_owner_match: equal
|
||||
update_owner_name:
|
||||
- infra
|
||||
update-acme-challenge:
|
||||
key: update-acme-challenge
|
||||
action: update
|
||||
update_types:
|
||||
- TXT
|
||||
update_owner: name
|
||||
update_owner_match: equal
|
||||
update_owner_name:
|
||||
- _acme-challenge.auro.re.
|
||||
- _acme-challenge.mail.auro.re.
|
||||
- _acme-challenge.smtp.auro.re.
|
||||
- _acme-challenge.imap.auro.re.
|
||||
- _acme-challenge.jitsi.auro.re.
|
||||
knotd__queryacl:
|
||||
local:
|
||||
addresses:
|
||||
- 10.0.0.0/8
|
||||
knotd__soa_rname: root@auro.re.
|
||||
# TODO: Netbox
|
||||
knotd__hosts:
|
||||
auro.re:
|
||||
proxy-ovh:
|
||||
- 92.222.211.195
|
||||
horus:
|
||||
- 92.23.218.136
|
||||
ns-1:
|
||||
- 45.66.111.30
|
||||
- 2a09:6840:111::30
|
||||
ns-2:
|
||||
- 92.222.211.194
|
||||
serge:
|
||||
- 92.222.211.196
|
||||
lama:
|
||||
- 185.230.78.220
|
||||
- 2a0c:700:12:0:67:e5ff:fee9:108
|
||||
vpn-ovh:
|
||||
- 92.222.211.197
|
||||
passerelle:
|
||||
- 45.66.111.254
|
||||
- 2a09:6840:111::254
|
||||
proxy:
|
||||
- 45.66.111.61
|
||||
- 2a09:6840:111::61
|
||||
camelot:
|
||||
- 45.66.111.59
|
||||
- 2a09:6840:111::59
|
||||
mail:
|
||||
- 45.66.111.62
|
||||
- 2a09:6840:111::62
|
||||
galene:
|
||||
- 45.66.111.65
|
||||
- 2a09:6840:111::65
|
||||
aclyas:
|
||||
- 45.66.111.231
|
||||
- 2a09:6840:111::231
|
||||
jitsi:
|
||||
- 45.66.111.55
|
||||
- 2a09:6840:111::55
|
||||
portail-fleming:
|
||||
- 10.13.0.247
|
||||
- 2a09:6840:13::247
|
||||
portail-pacaterie:
|
||||
- 10.23.0.247
|
||||
- 2a09:6840:23::247
|
||||
portail-rives:
|
||||
- 10.33.0.247
|
||||
- 2a09:6840:33::247
|
||||
portail-edc:
|
||||
- 10.43.0.247
|
||||
- 2a09:6840:43::247
|
||||
portail-gs:
|
||||
- 10.53.0.247
|
||||
- 2a09:6840:53::247
|
||||
knotd__zones:
|
||||
auro.re:
|
||||
dnssec_policy: public
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- update-acme-challenge
|
||||
- ksk-infra
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra
|
||||
ns:
|
||||
- target:
|
||||
- ns-1
|
||||
- ns-2
|
||||
- name: infra
|
||||
target:
|
||||
- ns-1
|
||||
- ns-2
|
||||
- name: adm
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
- name: ups
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
- name: switch
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
- name: borne
|
||||
target:
|
||||
- serge
|
||||
- lama
|
||||
mx:
|
||||
- exchange: mail
|
||||
preference: 5
|
||||
- exchange: proxy-ovh
|
||||
preference: 10
|
||||
spf:
|
||||
- data: v=spf1 mx -all
|
||||
a:
|
||||
- address: 92.222.211.195
|
||||
cname:
|
||||
- name:
|
||||
- element
|
||||
- riot
|
||||
- auth
|
||||
- rss
|
||||
- codimd
|
||||
- hedgedoc
|
||||
- kanboard
|
||||
- www
|
||||
- pad
|
||||
- privatebin
|
||||
- zero
|
||||
- paste
|
||||
- hétérogénéité
|
||||
target: proxy-ovh
|
||||
- name:
|
||||
- grafana
|
||||
- netbox
|
||||
- wiki
|
||||
- matrix
|
||||
- drone
|
||||
- gitea
|
||||
- re2o
|
||||
- nextcloud
|
||||
target: proxy
|
||||
- name: intranet
|
||||
target: re2o
|
||||
- name:
|
||||
- smtp
|
||||
- imap
|
||||
target: mail
|
||||
hosts: "{{ knotd__hosts['auro.re'] }}"
|
||||
infra.auro.re:
|
||||
dnssec_policy: infra
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
#queryacl: local
|
||||
soa:
|
||||
mname: ns-master.int
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
hosts:
|
||||
services-1.ceph:
|
||||
- 10.132.1.1
|
||||
- "2a09:6840:132:1:1::"
|
||||
services-2.ceph:
|
||||
- 10.132.1.2
|
||||
- "2a09:6840:132:1:2::"
|
||||
services-3.ceph:
|
||||
- 10.132.1.3
|
||||
- "2a09:6840:132:1:3::"
|
||||
ns-master.int:
|
||||
- 10.128.0.110
|
||||
- "2a09:6840:128:0::110"
|
||||
ec-1.ups:
|
||||
- 10.131.4.1
|
||||
- 2a09:6840:131::4:1
|
||||
ec-2.ups:
|
||||
- 10.131.4.2
|
||||
- 2a09:6840:131::4:2
|
||||
108.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
109.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
110.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
111.66.45.in-addr.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
ptr:
|
||||
- name: "1"
|
||||
target: x.auro.re.
|
||||
- name: "2"
|
||||
target: y.auro.re.
|
||||
reverse_hosts: "{{ knotd__hosts['auro.re']
|
||||
| ip_filter(['45.66.111.0/24'])
|
||||
| add_origin_keys('auro.re.') }}"
|
||||
4.8.6.9.0.a.2.ip6.arpa:
|
||||
dnssec_policy: ripe
|
||||
notify:
|
||||
- xfr-ns-1
|
||||
- xfr-ns-2
|
||||
acl:
|
||||
- xfr
|
||||
soa:
|
||||
mname: ns-master.int.infra.auro.re.
|
||||
ns:
|
||||
- target:
|
||||
- ns-1.auro.re.
|
||||
- ns-2.auro.re.
|
||||
#reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'},
|
||||
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
|
||||
#hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'},
|
||||
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
|
||||
#nb_dns__vlan_suffixes:
|
||||
# external-services: ext.infra.auro.re.
|
||||
# wifi-access-points: wifi.infra.auro.re.
|
||||
# monitoring: monit.infra.auro.re.
|
||||
# routers: rtr.infra.auro.re.
|
||||
# services-ceph: ceph.infra.auro.re.
|
||||
# ups: ups.infra.auro.re.
|
||||
# switchs: sw.infra.auro.re.
|
||||
# internal-services: int.infra.auro.re.
|
||||
# bmc: bmc.infra.auro.re.
|
||||
roles:
|
||||
- knotd
|
||||
|
||||
- hosts:
|
||||
- ns-1.auro.re
|
||||
- ns-2.auro.re
|
||||
vars:
|
||||
knotd__listen:
|
||||
- address: 0.0.0.0
|
||||
- address: "::"
|
||||
knotd__keys:
|
||||
xfr:
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ vault_knotd_xfr_key }}"
|
||||
knotd__remotes:
|
||||
xfr-master:
|
||||
address: 10.128.0.110
|
||||
key: xfr
|
||||
knotd__acl:
|
||||
notify-master:
|
||||
address:
|
||||
- 10.128.0.110
|
||||
- 2a09:6840:128::110
|
||||
key: xfr
|
||||
action: notify
|
||||
knotd__queryacl:
|
||||
local:
|
||||
addresses:
|
||||
- 10.0.0.0/8
|
||||
knotd__zones:
|
||||
auro.re:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
infra.auro.re:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
#queryacl: local
|
||||
master: xfr-master
|
||||
108.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
109.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
110.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
111.66.45.in-addr.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
4.8.6.9.0.a.2.ip6.arpa:
|
||||
dnssec_validation: false
|
||||
acl:
|
||||
- notify-master
|
||||
master: xfr-master
|
||||
roles:
|
||||
- knotd
|
||||
...
|
Loading…
Reference in a new issue