--- knotd__listen: - address: 0.0.0.0 - address: "::" knotd__keys: xfr: algorithm: hmac-sha512 secret: "{{ vault_knotd_xfr_key }}" ksk-infra: algorithm: hmac-sha512 secret: "{{ vault_knotd_ksk_infra_key }}" update-acme-challenge: algorithm: hmac-sha512 secret: "{{ vault_certbot_dns_secret }}" knotd__remotes: xfr-ns-1: address: 10.128.0.199 key: xfr xfr-ns-2: address: 10.128.0.109 key: xfr ksk-infra: address: ::1 key: ksk-infra knotd__policies: public: algorithm: ECDSAP256SHA256 reproducible_signing: true # Je n'ai pas trouvé de façon de pousser les records automatiquement # sur .re, donc pour éviter d'oublier de le faire manuellement, la # KSK n'expire pas ksk_lifetime: 0 zsk_lifetime: 30d nsec3: true infra: algorithm: ECDSAP256SHA256 ksk_lifetime: 365d zsk_lifetime: 30d nsec3: on ds-push: ksk-infra cds-cdnskey-publish: rollover ksk-submission: infra ripe: algorithm: ECDSAP256SHA256 ksk_lifetime: 365d zsk_lifetime: 30d nsec3: on ds-push: ksk-ripe cds-cdnskey-publish: rollover ksk-submission: ripe knotd__acl: xfr: addresses: - 10.128.0.199 - 2a09:6840:128::199 - 10.128.0.109 - 2a09:6840:128::109 action: transfer key: xfr ksk-infra: addresses: - 127.0.0.1 - ::1 key: ksk-infra action: update update_types: - DS update_owner: name update_owner_match: equal update_owner_name: - infra update-acme-challenge: addresses: - 10.128.0.0/16 - 2a09:6840:128::/48 key: update-acme-challenge action: update update_types: - TXT update_owner: name update_owner_match: equal update_owner_name: - _acme-challenge.auro.re. knotd__queryacl: local: addresses: - 10.0.0.0/8 knotd__soa_rname: root@auro.re. knotd__hosts: auro.re: proxy-ovh: - 92.222.211.195 horus: - 92.23.218.136 ns-1: - 45.66.111.30 - 2a09:6840:111::30 ns-2: - 92.222.211.194 serge: - 92.222.211.196 lama: - 185.230.78.220 - 2a0c:700:12:0:67:e5ff:fee9:108 vpn-ovh: - 92.222.211.197 passerelle: - 45.66.111.254 - 2a09:6840:111::254 proxy: - 45.66.111.61 - 2a09:6840:111::61 camelot: - 45.66.111.59 - 2a09:6840:111::59 mail: - 45.66.111.62 - 2a09:6840:111::62 galene: - 45.66.111.65 - 2a09:6840:111::65 aclyas: - 45.66.111.231 - 2a09:6840:111::231 jitsi: - 45.66.111.55 - 2a09:6840:111::55 portail-fleming: - 10.13.0.247 - 2a09:6840:13::247 portail-pacaterie: - 10.23.0.247 - 2a09:6840:23::247 portail-rives: - 10.33.0.247 - 2a09:6840:33::247 portail-edc: - 10.43.0.247 - 2a09:6840:43::247 portail-gs: - 10.53.0.247 - 2a09:6840:53::247 grocy.bric: - 45.66.111.133 - 2a09:6840:111::133 adh.auro.re: hoffman: - 45.66.110.1 - 2a09:6840:110:0:2d8:61ff:fe56:d7eb hindley: - 45.66.110.3 - 2a09:6840:110:0:a6ba:dbff:fe03:1f36 yberreby: - 45.66.110.5 - 2a09:6840:110:0:d896:1dff:fe59:8381 paon: - 45.66.110.10 - 2a09:6840:110:0:231:92ff:fe1b:ae22 lovelace: - 45.66.110.45 - 2a09:6840:110:0:c634:6bff:feb5:7bcc switch-leo: - 45.66.110.103 - 2a09:6840:110:0:82cc:9cff:fe82:ca3e haskell: - 45.66.110.112 - 2a09:6840:110:0:f4ac:cbff:fe81:7f48 lyshyga0: - 45.66.110.113 - 2a09:6840:110:0:6af7:28ff:fe91:e8d9 pz28910: - 45.66.110.114 vinsing0: - 45.66.110.123 - 2a09:6840:110:0:1e1b:dff:fe90:7d81 osc-routeur: - 45.66.110.125 - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1 odroid: - 45.66.110.154 - 2a09:6840:110:0:21e:6ff:fe49:e00 amau0: - 45.66.110.164 - 2a09:6840:110:0:3e7c:3fff:fec3:27d1 regulus: - 45.66.110.180 - 2a09:6840:110:0:2ef0:5dff:fe2a:1530 toaster: - 45.66.110.188 - 2a09:6840:110:0:5246:5dff:fe9a:f70 rpijutax: - 45.66.110.190 - 2a09:6840:110:0:ba27:ebff:fe76:a9bc lafeychine: - 45.66.110.200 - 2a09:6840:110:0:46a5:6eff:fe71:1 polaris: - 45.66.110.245 - 2a09:6840:110:0:dea6:32ff:feb4:d033 knotd__zones: auro.re: dnssec_policy: public notify: - xfr-ns-1 - xfr-ns-2 acl: - update-acme-challenge - ksk-infra - xfr soa: mname: ns-master.int.infra ns: - target: - ns-1 - ns-2 - name: infra target: - ns-1 - ns-2 - name: test target: - ns-1 - ns-2 - name: adm target: - serge - lama - name: ups target: - serge - lama - name: switch target: - serge - lama - name: borne target: - serge - lama mx: - exchange: mail preference: 5 - exchange: proxy-ovh preference: 10 txt: - data: v=spf1 mx -all a: - address: 92.222.211.195 cname: - name: - gisti - gistiti target: jitsi - name: - element - riot - auth - rss - codimd - hedgedoc - kanboard - www - pad - privatebin - zero - paste target: proxy-ovh - name: - grafana - netbox - wiki - matrix - drone - gitea - re2o - nextcloud - vote - office target: proxy - name: intranet target: re2o - name: - smtp - imap target: mail - name: - prometheus-paul.adh - pma-paul.adh - nextcloud-paul.adh - grafana-paul.adh - jellyfin.adh - monitoring.adh - beta-mpp.adh - pz28.adh target: lucepaul.myvnc.com. - name: - services-1.pve target: services-1.pve.infra - name: - services-2.pve target: services-2.pve.infra - name: - services-3.pve target: services-3.pve.infra hosts: "{{ knotd__hosts['auro.re'] | combine(knotd__hosts['adh.auro.re'] | add_origin_keys('adh.auro.re.')) }}" test.auro.re: dnssec_policy: public notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. txt: - data: v=spf1 mx -all - name: _dmarc data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re ns: - target: - ns-1.auro.re. - ns-2.auro.re. mx: - exchange: mx preference: 5 cname: - name: - www1 - www2 - www3 target: proxy.pub.infra.auro.re. hosts: mx: - 2a09:6840:211::1:5 - 45.66.111.205 infra.auro.re: dnssec_policy: infra notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr #queryacl: local soa: mname: ns-master.int ns: - target: - ns-1.auro.re. - ns-2.auro.re. hosts: services-1.ceph: - 10.132.1.1 - "2a09:6840:132:1:1::" services-2.ceph: - 10.132.1.2 - "2a09:6840:132:1:2::" services-3.ceph: - 10.132.1.3 - "2a09:6840:132:1:3::" services-1.pve: - 10.134.1.1 - 2a09:6840:132:1:1::1 services-2.pve: - 10.134.1.2 - 2a09:6840:132:1:2::1 services-3.pve: - 10.134.1.3 - 2a09:6840:132:1:3::1 ns-master.int: - 10.128.0.110 - 2a09:6840:128:0::110 network-1.pve: - 2a09:6840:209::1:1 - 10.209.1.1 network-2.pve: - 2a09:6840:209::1:2 - 10.209.1.2 edge-1.back: - 2a09:6840:203::1:1 - 10.203.1.1 edge-2.back: - 2a09:6840:203::1:2 - 10.203.1.2 dns-1.int: - 2a09:6840:206::1:1 - 10.206.1.1 dns-2.int: - 2a09:6840:206::1:2 - 10.206.1.2 wg-1.vpn: - 2a09:6840:213::1:3 - 10.213.1.3 wg-2.vpn: - 2a09:6840:213::1:4 - 10.213.1.4 infra-1.back: - 2a09:6840:203::1:3 - 10.203.1.3 infra-2.back: - 2a09:6840:203::1:4 - 10.203.1.4 isp-1.back: - 2a09:6840:203::1:5 - 10.203.1.5 isp-2.back: - 2a09:6840:203::1:6 - 10.203.1.6 dhcp-1.isp: - 2a09:6840:210::1:1 - 10.210.1.1 dhcp-2.isp: - 2a09:6840:210::1:2 - 10.210.1.2 radius-1.isp: - 2a09:6840:210::1:3 - 10.210.1.3 radius-2.isp: - 2a09:6840:210::1:4 - 10.210.1.4 ldap-1.int: - 10.128.10.8 - 2a09:6840:128::10:8 ldap-2.int: - 10.128.10.108 - 2a09:6840:128::10:108 ntp-1.int: - 2a09:6840:206::1:5 - 10.206.1.5 ntp-2.int: - 2a09:6840:206::1:6 - 10.206.1.6 prometheus-1.monit: - 2a09:6840:204::1:1 - 10.204.1.1 prometheus-2.monit: - 2a09:6840:204::1:2 - 10.204.1.2 ff-1.core.sw: #- 2a09:6840:207::1:1 - 10.207.1.1 ff-2.core.sw: #- 2a09:6840:207::1:2 - 10.207.1.2 fl-1.core.sw: #- 2a09:6840:207::1:3 - 10.207.1.3 fl-2.core.sw: #- 2a09:6840:207::1:4 - 10.207.1.4 fd-1.core.sw: #- 2a09:6840:207::1:5 - 10.207.1.5 ff-3.core.sw: #- 2a09:6840:207::1:6 - 10.207.1.6 gk-1.core.sw: #- 2a09:6840:207::2:1 - 10.207.2.1 eb-1.core.sw: #- 2a09:6840:207::3:1 - 10.207.3.1 r3-1.core.sw: #- 2a09:6840:207::4:1 - 10.207.4.1 eb-1.ups: - 2a09:6840:201::3:1 - 10.201.3.1 ec-1.ups: - 2a09:6840:201::3:2 - 10.201.3.2 mx.test: - 2a09:6840:211::1:5 - 10.211.1.5 collabora.pub: - 2a09:6840:128::220 - 10.128.0.220 proxy.pub: - 2a09:6840:214::1:1 - 45.66.111.206 108.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. 109.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. 110.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. reverse_hosts: "{{ knotd__hosts['adh.auro.re'] | ip_filter(['45.66.110.0/24']) | add_origin_keys('adh.auro.re.') }}" 111.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. reverse_hosts: "{{ knotd__hosts['auro.re'] | ip_filter(['45.66.111.0/24']) | add_origin_keys('auro.re.') }}" 0.4.8.6.9.0.a.2.ip6.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. reverse_hosts: "{{ knotd__hosts['auro.re'] | ip_filter(['2a09:6840::/32']) | add_origin_keys('auro.re.') | combine(knotd__hosts['adh.auro.re'] | ip_filter(['2a09:6840::/32']) | add_origin_keys('adh.auro.re.')) }}" ...