#!/usr/bin/env ansible-playbook --- - hosts: ns-master.int.infra.auro.re vars: knotd__listen: - address: 0.0.0.0 - address: "::" knotd__keys: xfr: algorithm: hmac-sha512 secret: "{{ vault_knotd_xfr_key }}" ksk-infra: algorithm: hmac-sha512 secret: "{{ vault_knotd_ksk_infra_key }}" update-acme-challenge: algorithm: hmac-sha512 secret: "{{ vault_certbot_dns_secret }}" knotd__remotes: xfr-ns-1: address: 10.128.0.199 key: xfr xfr-ns-2: address: 10.128.0.109 key: xfr ksk-infra: address: ::1 key: ksk-infra knotd__policies: public: algorithm: ECDSAP256SHA256 reproducible_signing: true # Je n'ai pas trouvé de façon de pousser les records automatiquement # sur .re, donc pour éviter d'oublier de le faire manuellement, la # KSK n'expire pas ksk_lifetime: 0 zsk_lifetime: 30d nsec3: true infra: algorithm: ECDSAP256SHA256 ksk_lifetime: 365d zsk_lifetime: 30d nsec3: on ds-push: ksk-infra cds-cdnskey-publish: rollover ksk-submission: infra ripe: algorithm: ECDSAP256SHA256 ksk_lifetime: 365d zsk_lifetime: 30d nsec3: on ds-push: ksk-ripe cds-cdnskey-publish: rollover ksk-submission: ripe knotd__acl: xfr: addresses: - 10.128.0.199 - 2a09:6840:128::199 - 10.128.0.109 - 2a09:6840:128::109 action: transfer key: xfr ksk-infra: address: - 127.0.0.1 - ::1 key: ksk-infra action: update update_types: - DS update_owner: name update_owner_match: equal update_owner_name: - infra update-acme-challenge: key: update-acme-challenge action: update update_types: - TXT update_owner: name update_owner_match: equal update_owner_name: - _acme-challenge.auro.re. - _acme-challenge.mail.auro.re. - _acme-challenge.smtp.auro.re. - _acme-challenge.imap.auro.re. - _acme-challenge.jitsi.auro.re. knotd__queryacl: local: addresses: - 10.0.0.0/8 knotd__soa_rname: root@auro.re. # TODO: Netbox knotd__hosts: auro.re: proxy-ovh: - 92.222.211.195 horus: - 92.23.218.136 ns-1: - 45.66.111.30 - 2a09:6840:111::30 ns-2: - 92.222.211.194 serge: - 92.222.211.196 lama: - 185.230.78.220 - 2a0c:700:12:0:67:e5ff:fee9:108 vpn-ovh: - 92.222.211.197 passerelle: - 45.66.111.254 - 2a09:6840:111::254 proxy: - 45.66.111.61 - 2a09:6840:111::61 camelot: - 45.66.111.59 - 2a09:6840:111::59 mail: - 45.66.111.62 - 2a09:6840:111::62 galene: - 45.66.111.65 - 2a09:6840:111::65 aclyas: - 45.66.111.231 - 2a09:6840:111::231 jitsi: - 45.66.111.55 - 2a09:6840:111::55 portail-fleming: - 10.13.0.247 - 2a09:6840:13::247 portail-pacaterie: - 10.23.0.247 - 2a09:6840:23::247 portail-rives: - 10.33.0.247 - 2a09:6840:33::247 portail-edc: - 10.43.0.247 - 2a09:6840:43::247 portail-gs: - 10.53.0.247 - 2a09:6840:53::247 knotd__zones: auro.re: dnssec_policy: public notify: - xfr-ns-1 - xfr-ns-2 acl: - update-acme-challenge - ksk-infra - xfr soa: mname: ns-master.int.infra ns: - target: - ns-1 - ns-2 - name: infra target: - ns-1 - ns-2 - name: adm target: - serge - lama - name: ups target: - serge - lama - name: switch target: - serge - lama - name: borne target: - serge - lama mx: - exchange: mail preference: 5 - exchange: proxy-ovh preference: 10 spf: - data: v=spf1 mx -all a: - address: 92.222.211.195 cname: - name: - element - riot - auth - rss - codimd - hedgedoc - kanboard - www - pad - privatebin - zero - paste - hétérogénéité target: proxy-ovh - name: - grafana - netbox - wiki - matrix - drone - gitea - re2o - nextcloud target: proxy - name: intranet target: re2o - name: - smtp - imap target: mail hosts: "{{ knotd__hosts['auro.re'] }}" infra.auro.re: dnssec_policy: infra notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr #queryacl: local soa: mname: ns-master.int ns: - target: - ns-1.auro.re. - ns-2.auro.re. hosts: services-1.ceph: - 10.132.1.1 - "2a09:6840:132:1:1::" services-2.ceph: - 10.132.1.2 - "2a09:6840:132:1:2::" services-3.ceph: - 10.132.1.3 - "2a09:6840:132:1:3::" ns-master.int: - 10.128.0.110 - "2a09:6840:128:0::110" ec-1.ups: - 10.131.4.1 - 2a09:6840:131::4:1 ec-2.ups: - 10.131.4.2 - 2a09:6840:131::4:2 108.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. 109.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. 110.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. 111.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. ptr: - name: "1" target: x.auro.re. - name: "2" target: y.auro.re. reverse_hosts: "{{ knotd__hosts['auro.re'] | ip_filter(['45.66.111.0/24']) | add_origin_keys('auro.re.') }}" 4.8.6.9.0.a.2.ip6.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. #reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'}, # vlan_suffixes=nb__dns_vlan_suffixes) }}" #hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'}, # vlan_suffixes=nb__dns_vlan_suffixes) }}" #nb_dns__vlan_suffixes: # external-services: ext.infra.auro.re. # wifi-access-points: wifi.infra.auro.re. # monitoring: monit.infra.auro.re. # routers: rtr.infra.auro.re. # services-ceph: ceph.infra.auro.re. # ups: ups.infra.auro.re. # switchs: sw.infra.auro.re. # internal-services: int.infra.auro.re. # bmc: bmc.infra.auro.re. roles: - knotd - hosts: - ns-1.auro.re - ns-2.auro.re vars: knotd__listen: - address: 0.0.0.0 - address: "::" knotd__keys: xfr: algorithm: hmac-sha512 secret: "{{ vault_knotd_xfr_key }}" knotd__remotes: xfr-master: address: 10.128.0.110 key: xfr knotd__acl: notify-master: address: - 10.128.0.110 - 2a09:6840:128::110 key: xfr action: notify knotd__queryacl: local: addresses: - 10.0.0.0/8 knotd__zones: auro.re: dnssec_validation: false acl: - notify-master master: xfr-master infra.auro.re: dnssec_validation: false acl: - notify-master #queryacl: local master: xfr-master 108.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 109.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 110.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 111.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 4.8.6.9.0.a.2.ip6.arpa: dnssec_validation: false acl: - notify-master master: xfr-master roles: - knotd ...