#!/usr/bin/env ansible-playbook --- - hosts: ns-master.int.infra.auro.re vars: knotd__listen: - address: 0.0.0.0 - address: "::" knotd__keys: xfr: algorithm: hmac-sha512 secret: "{{ vault_knotd_xfr_key }}" ksk-infra: algorithm: hmac-sha512 secret: "{{ vault_knotd_ksk_infra_key }}" update-acme-challenge: algorithm: hmac-sha512 secret: "{{ vault_certbot_dns_secret }}" knotd__remotes: xfr-ns-1: address: 10.128.0.199 key: xfr xfr-ns-2: address: 10.128.0.109 key: xfr ksk-infra: address: ::1 key: ksk-infra knotd__policies: public: algorithm: ECDSAP256SHA256 reproducible_signing: true # Je n'ai pas trouvé de façon de pousser les records automatiquement # sur .re, donc pour éviter d'oublier de le faire manuellement, la # KSK n'expire pas ksk_lifetime: 0 zsk_lifetime: 30d nsec3: true infra: algorithm: ECDSAP256SHA256 ksk_lifetime: 365d zsk_lifetime: 30d nsec3: on ds-push: ksk-infra cds-cdnskey-publish: rollover ksk-submission: infra ripe: algorithm: ECDSAP256SHA256 ksk_lifetime: 365d zsk_lifetime: 30d nsec3: on ds-push: ksk-ripe cds-cdnskey-publish: rollover ksk-submission: ripe knotd__acl: xfr: addresses: - 10.128.0.199 - 2a09:6840:128::199 - 10.128.0.109 - 2a09:6840:128::109 action: transfer key: xfr ksk-infra: addresses: - 127.0.0.1 - ::1 key: ksk-infra action: update update_types: - DS update_owner: name update_owner_match: equal update_owner_name: - infra update-acme-challenge: addresses: - 10.128.0.0/16 - 2a09:6840:128::/48 key: update-acme-challenge action: update update_types: - TXT update_owner: name update_owner_match: equal update_owner_name: - _acme-challenge.auro.re. knotd__queryacl: local: addresses: - 10.0.0.0/8 knotd__soa_rname: root@auro.re. # TODO: Netbox knotd__hosts: auro.re: proxy-ovh: - 92.222.211.195 horus: - 92.23.218.136 ns-1: - 45.66.111.30 - 2a09:6840:111::30 ns-2: - 92.222.211.194 serge: - 92.222.211.196 lama: - 185.230.78.220 - 2a0c:700:12:0:67:e5ff:fee9:108 vpn-ovh: - 92.222.211.197 passerelle: - 45.66.111.254 - 2a09:6840:111::254 proxy: - 45.66.111.61 - 2a09:6840:111::61 camelot: - 45.66.111.59 - 2a09:6840:111::59 mail: - 45.66.111.62 - 2a09:6840:111::62 galene: - 45.66.111.65 - 2a09:6840:111::65 aclyas: - 45.66.111.231 - 2a09:6840:111::231 jitsi: - 45.66.111.55 - 2a09:6840:111::55 portail-fleming: - 10.13.0.247 - 2a09:6840:13::247 portail-pacaterie: - 10.23.0.247 - 2a09:6840:23::247 portail-rives: - 10.33.0.247 - 2a09:6840:33::247 portail-edc: - 10.43.0.247 - 2a09:6840:43::247 portail-gs: - 10.53.0.247 - 2a09:6840:53::247 adh.auro.re: hoffman: - 45.66.110.1 - 2a09:6840:110:0:2d8:61ff:fe56:d7eb hindley: - 45.66.110.3 - 2a09:6840:110:0:a6ba:dbff:fe03:1f36 yberreby: - 45.66.110.5 - 2a09:6840:110:0:d896:1dff:fe59:8381 paon: - 45.66.110.10 - 2a09:6840:110:0:231:92ff:fe1b:ae22 lovelace: - 45.66.110.45 - 2a09:6840:110:0:c634:6bff:feb5:7bcc switch-leo: - 45.66.110.103 - 2a09:6840:110:0:82cc:9cff:fe82:ca3e haskell: - 45.66.110.112 - 2a09:6840:110:0:f4ac:cbff:fe81:7f48 lyshyga0: - 45.66.110.113 - 2a09:6840:110:0:6af7:28ff:fe91:e8d9 pz28910: - 45.66.110.114 vinsing0: - 45.66.110.123 - 2a09:6840:110:0:1e1b:dff:fe90:7d81 osc-routeur: - 45.66.110.125 - 2a09:6840:110:0:ba27:ebff:fe2d:c1a1 odroid: - 45.66.110.154 - 2a09:6840:110:0:21e:6ff:fe49:e00 amau0: - 45.66.110.164 - 2a09:6840:110:0:3e7c:3fff:fec3:27d1 regulus: - 45.66.110.180 - 2a09:6840:110:0:2ef0:5dff:fe2a:1530 toaster: - 45.66.110.188 - 2a09:6840:110:0:5246:5dff:fe9a:f70 rpijutax: - 45.66.110.190 - 2a09:6840:110:0:ba27:ebff:fe76:a9bc lafeychine: - 45.66.110.200 - 2a09:6840:110:0:46a5:6eff:fe71:1 polaris: - 45.66.110.245 - 2a09:6840:110:0:dea6:32ff:feb4:d033 knotd__zones: auro.re: dnssec_policy: public notify: - xfr-ns-1 - xfr-ns-2 acl: - update-acme-challenge - ksk-infra - xfr soa: mname: ns-master.int.infra ns: - target: - ns-1 - ns-2 - name: infra target: - ns-1 - ns-2 - name: adm target: - serge - lama - name: ups target: - serge - lama - name: switch target: - serge - lama - name: borne target: - serge - lama mx: - exchange: mail preference: 5 - exchange: proxy-ovh preference: 10 spf: - data: v=spf1 mx -all a: - address: 92.222.211.195 cname: - name: - element - riot - auth - rss - codimd - hedgedoc - kanboard - www - pad - privatebin - zero - paste - hétérogénéité target: proxy-ovh - name: - grafana - netbox - wiki - matrix - drone - gitea - re2o - nextcloud target: proxy - name: intranet target: re2o - name: - smtp - imap target: mail - name: - prometheus-paul.adh - pma-paul.adh - nextcloud-paul.adh - grafana-paul.adh - jellyfin.adh - monitoring.adh - beta-mpp.adh - pz28.adh target: lucepaul.myvnc.com. - name: - services-1.pve target: services-1.pve.infra - name: - services-2.pve target: services-2.pve.infra - name: - services-3.pve target: services-3.pve.infra hosts: "{{ knotd__hosts['auro.re'] | combine(knotd__hosts['adh.auro.re'] | add_origin_keys('adh.auro.re.')) }}" infra.auro.re: dnssec_policy: infra notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr #queryacl: local soa: mname: ns-master.int ns: - target: - ns-1.auro.re. - ns-2.auro.re. hosts: services-1.ceph: - 10.132.1.1 - "2a09:6840:132:1:1::" services-2.ceph: - 10.132.1.2 - "2a09:6840:132:1:2::" services-3.ceph: - 10.132.1.3 - "2a09:6840:132:1:3::" services-1.pve: - 10.134.1.1 - 2a09:6840:132:1:1::1 services-2.pve: - 10.134.1.2 - 2a09:6840:132:1:2::1 services-3.pve: - 10.134.1.3 - 2a09:6840:132:1:3::1 ns-master.int: - 10.128.0.110 - 2a09:6840:128:0::110 ec-1.ups: - 10.131.4.1 - 2a09:6840:131::4:1 ec-2.ups: - 10.131.4.2 - 2a09:6840:131::4:2 network-1.pve: - 10.128.5.1 - 2a09:6840:128::5:1 network-2.pve: - 10.128.2.1 - 2a09:6840:128::2:1 edge-1.rtr: - 10.128.10.2 - 2a09:6840:128::10:2 edge-2.rtr: - 10.128.10.102 - 2a09:6840:128::10:102 dns-1.int: - 10.128.10.3 - 2a09:6840:128::10:3 dns-2.int: - 10.128.10.103 - 2a09:6840:128::10:103 ssh-1.mgmt: - 10.128.10.1 - 2a09:6840:128::10:1 ssh-2.mgmt: - 10.128.10.101 - 2a09:6840:128::10:101 infra-1.rtr: - 10.128.10.4 - 2a09:6840:128::10:4 infra-2.rtr: - 10.128.10.104 - 2a09:6840:128::10:104 isp-1.rtr: - 10.128.10.5 - 2a09:6840:128::10:5 isp-2.rtr: - 10.128.10.105 - 2a09:6840:128::10:105 dhcp-1.isp: - 10.128.10.6 - 2a09:6840:128::10:6 dhcp-2.isp: - 10.128.10.106 - 2a09:6840:128::10:106 radius-1.isp: - 10.128.10.7 - 2a09:6840:128::10:7 radius-2.isp: - 10.128.10.107 - 2a09:6840:128::10:107 ldap-1.int: - 10.128.10.8 - 2a09:6840:128::10:8 ldap-2.int: - 10.128.10.108 - 2a09:6840:128::10:108 ntp-1.int: - 10.128.10.9 - 2a09:6840:128::10:9 ntp-2.int: - 10.128.10.109 - 2a09:6840:128::10:109 prometheus-1.monit: - 10.128.10.10 - 2a09:6840:128::10:10 prometheus-2.monit: - 10.128.10.110 - 2a09:6840:128::10:110 108.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. 109.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. 110.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. reverse_hosts: "{{ knotd__hosts['adh.auro.re'] | ip_filter(['45.66.110.0/24']) | add_origin_keys('adh.auro.re.') }}" 111.66.45.in-addr.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. reverse_hosts: "{{ knotd__hosts['auro.re'] | ip_filter(['45.66.111.0/24']) | add_origin_keys('auro.re.') }}" 0.4.8.6.9.0.a.2.ip6.arpa: dnssec_policy: ripe notify: - xfr-ns-1 - xfr-ns-2 acl: - xfr soa: mname: ns-master.int.infra.auro.re. ns: - target: - ns-1.auro.re. - ns-2.auro.re. reverse_hosts: "{{ knotd__hosts['auro.re'] | ip_filter(['2a09:6840::/32']) | add_origin_keys('auro.re.') | combine(knotd__hosts['adh.auro.re'] | ip_filter(['2a09:6840::/32']) | add_origin_keys('adh.auro.re.')) }}" #reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'}, # vlan_suffixes=nb__dns_vlan_suffixes) }}" #hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'}, # vlan_suffixes=nb__dns_vlan_suffixes) }}" #nb_dns__vlan_suffixes: # external-services: ext.infra.auro.re. # wifi-access-points: wifi.infra.auro.re. # monitoring: monit.infra.auro.re. # routers: rtr.infra.auro.re. # services-ceph: ceph.infra.auro.re. # ups: ups.infra.auro.re. # switchs: sw.infra.auro.re. # internal-services: int.infra.auro.re. # bmc: bmc.infra.auro.re. roles: - knotd - hosts: - ns-1.auro.re - ns-2.auro.re vars: knotd__listen: - address: 0.0.0.0 - address: "::" knotd__keys: xfr: algorithm: hmac-sha512 secret: "{{ vault_knotd_xfr_key }}" knotd__remotes: xfr-master: address: 10.128.0.110 key: xfr knotd__acl: notify-master: address: - 10.128.0.110 - 2a09:6840:128::110 key: xfr action: notify knotd__queryacl: local: addresses: - 10.0.0.0/8 knotd__zones: auro.re: dnssec_validation: true acl: - notify-master master: xfr-master infra.auro.re: dnssec_validation: true acl: - notify-master #queryacl: local master: xfr-master 108.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 109.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 110.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 111.66.45.in-addr.arpa: dnssec_validation: false acl: - notify-master master: xfr-master 0.4.8.6.9.0.a.2.ip6.arpa: dnssec_validation: false acl: - notify-master master: xfr-master roles: - knotd ...