615 lines
13 KiB
YAML
615 lines
13 KiB
YAML
---
|
|
knotd__listen:
|
|
- address: 0.0.0.0
|
|
- address: "::"
|
|
|
|
knotd__keys:
|
|
xfr:
|
|
algorithm: hmac-sha512
|
|
secret: "{{ vault_knotd_xfr_key }}"
|
|
ksk-infra:
|
|
algorithm: hmac-sha512
|
|
secret: "{{ vault_knotd_ksk_infra_key }}"
|
|
update-acme-challenge:
|
|
algorithm: hmac-sha512
|
|
secret: "{{ vault_certbot_dns_secret }}"
|
|
|
|
knotd__remotes:
|
|
xfr-ns-1:
|
|
address: 2a09:6840:215::1:2
|
|
key: xfr
|
|
xfr-ns-2:
|
|
address: 2a09:6840:215::1:3
|
|
key: xfr
|
|
xfr-ns-3:
|
|
address: 10.128.0.109
|
|
key: xfr
|
|
ksk-infra:
|
|
address: ::1
|
|
key: ksk-infra
|
|
|
|
knotd__policies:
|
|
public:
|
|
algorithm: ECDSAP256SHA256
|
|
reproducible_signing: true
|
|
# Je n'ai pas trouvé de façon de pousser les records automatiquement
|
|
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
|
|
# KSK n'expire pas
|
|
ksk_lifetime: 0
|
|
zsk_lifetime: 30d
|
|
nsec3: true
|
|
infra:
|
|
algorithm: ECDSAP256SHA256
|
|
ksk_lifetime: 365d
|
|
zsk_lifetime: 30d
|
|
nsec3: on
|
|
ds-push: ksk-infra
|
|
cds-cdnskey-publish: rollover
|
|
ksk-submission: infra
|
|
ripe:
|
|
algorithm: ECDSAP256SHA256
|
|
ksk_lifetime: 365d
|
|
zsk_lifetime: 30d
|
|
nsec3: on
|
|
ds-push: ksk-ripe
|
|
cds-cdnskey-publish: rollover
|
|
ksk-submission: ripe
|
|
|
|
knotd__acl:
|
|
xfr:
|
|
addresses:
|
|
- 2a09:6840:128::109
|
|
- 10.128.0.109
|
|
- 2a09:6840:215::1:2
|
|
- 45.66.111.205
|
|
- 2a09:6840:215::1:3
|
|
- 45.66.111.207
|
|
action: transfer
|
|
key: xfr
|
|
ksk-infra:
|
|
addresses:
|
|
- 127.0.0.1
|
|
- ::1
|
|
key: ksk-infra
|
|
action: update
|
|
update_types:
|
|
- DS
|
|
update_owner: name
|
|
update_owner_match: equal
|
|
update_owner_name:
|
|
- infra
|
|
update-acme-challenge:
|
|
addresses:
|
|
- 10.128.0.0/16
|
|
- 2a09:6840:128::/48
|
|
key: update-acme-challenge
|
|
action: update
|
|
update_types:
|
|
- TXT
|
|
update_owner: name
|
|
update_owner_match: equal
|
|
update_owner_name:
|
|
- _acme-challenge.auro.re.
|
|
|
|
knotd__queryacl:
|
|
local:
|
|
addresses:
|
|
- 10.0.0.0/8
|
|
|
|
knotd__soa_rname: root@auro.re.
|
|
|
|
knotd__hosts:
|
|
|
|
auro.re:
|
|
proxy-ovh:
|
|
- 92.222.211.195
|
|
horus:
|
|
- 92.23.218.136
|
|
ns-1:
|
|
- 45.66.111.205
|
|
- 2a09:6840:215::1:2
|
|
ns-2:
|
|
- 92.222.211.194
|
|
serge:
|
|
- 92.222.211.196
|
|
lama:
|
|
- 185.230.78.220
|
|
- 2a0c:700:12:0:67:e5ff:fee9:108
|
|
vpn-ovh:
|
|
- 92.222.211.197
|
|
passerelle:
|
|
- 45.66.111.254
|
|
- 2a09:6840:111::254
|
|
proxy:
|
|
- 45.66.111.61
|
|
- 2a09:6840:111::61
|
|
camelot:
|
|
- 45.66.111.59
|
|
- 2a09:6840:111::59
|
|
mail:
|
|
- 45.66.111.62
|
|
- 2a09:6840:111::62
|
|
galene:
|
|
- 45.66.111.65
|
|
- 2a09:6840:111::65
|
|
aclyas:
|
|
- 45.66.111.231
|
|
- 2a09:6840:111::231
|
|
jitsi:
|
|
- 45.66.111.55
|
|
- 2a09:6840:111::55
|
|
portail-fleming:
|
|
- 10.13.0.247
|
|
- 2a09:6840:13::247
|
|
portail-pacaterie:
|
|
- 10.23.0.247
|
|
- 2a09:6840:23::247
|
|
portail-rives:
|
|
- 10.33.0.247
|
|
- 2a09:6840:33::247
|
|
portail-edc:
|
|
- 10.43.0.247
|
|
- 2a09:6840:43::247
|
|
portail-gs:
|
|
- 10.53.0.247
|
|
- 2a09:6840:53::247
|
|
grocy.bric:
|
|
- 45.66.111.133
|
|
- 2a09:6840:111::133
|
|
|
|
adh.auro.re:
|
|
hoffman:
|
|
- 45.66.110.1
|
|
- 2a09:6840:110:0:2d8:61ff:fe56:d7eb
|
|
hindley:
|
|
- 45.66.110.3
|
|
- 2a09:6840:110:0:a6ba:dbff:fe03:1f36
|
|
yberreby:
|
|
- 45.66.110.5
|
|
- 2a09:6840:110:0:d896:1dff:fe59:8381
|
|
paon:
|
|
- 45.66.110.10
|
|
- 2a09:6840:110:0:231:92ff:fe1b:ae22
|
|
lovelace:
|
|
- 45.66.110.45
|
|
- 2a09:6840:110:0:c634:6bff:feb5:7bcc
|
|
switch-leo:
|
|
- 45.66.110.103
|
|
- 2a09:6840:110:0:82cc:9cff:fe82:ca3e
|
|
haskell:
|
|
- 45.66.110.112
|
|
- 2a09:6840:110:0:f4ac:cbff:fe81:7f48
|
|
lyshyga0:
|
|
- 45.66.110.113
|
|
- 2a09:6840:110:0:6af7:28ff:fe91:e8d9
|
|
pz28910:
|
|
- 45.66.110.114
|
|
vinsing0:
|
|
- 45.66.110.123
|
|
- 2a09:6840:110:0:1e1b:dff:fe90:7d81
|
|
osc-routeur:
|
|
- 45.66.110.125
|
|
- 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
|
|
odroid:
|
|
- 45.66.110.154
|
|
- 2a09:6840:110:0:21e:6ff:fe49:e00
|
|
amau0:
|
|
- 45.66.110.164
|
|
- 2a09:6840:110:0:3e7c:3fff:fec3:27d1
|
|
regulus:
|
|
- 45.66.110.180
|
|
- 2a09:6840:110:0:2ef0:5dff:fe2a:1530
|
|
toaster:
|
|
- 45.66.110.188
|
|
- 2a09:6840:110:0:5246:5dff:fe9a:f70
|
|
rpijutax:
|
|
- 45.66.110.190
|
|
- 2a09:6840:110:0:ba27:ebff:fe76:a9bc
|
|
lafeychine:
|
|
- 45.66.110.200
|
|
- 2a09:6840:110:0:46a5:6eff:fe71:1
|
|
polaris:
|
|
- 45.66.110.245
|
|
- 2a09:6840:110:0:dea6:32ff:feb4:d033
|
|
|
|
knotd__zones:
|
|
|
|
auro.re:
|
|
dnssec_policy: public
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- update-acme-challenge
|
|
- ksk-infra
|
|
- xfr
|
|
soa:
|
|
mname: ns-master.int.infra
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra
|
|
- ns-2.pub.infra
|
|
- ns-3.ovh.infra
|
|
- name: infra
|
|
target:
|
|
- ns-1.pub.infra
|
|
- ns-2.pub.infra
|
|
- ns-3.ovh.infra
|
|
- name: test
|
|
target:
|
|
- ns-1.pub.infra
|
|
- ns-2.pub.infra
|
|
- ns-3.ovh.infra
|
|
- name: adm
|
|
target:
|
|
- serge
|
|
- lama
|
|
- name: ups
|
|
target:
|
|
- serge
|
|
- lama
|
|
- name: switch
|
|
target:
|
|
- serge
|
|
- lama
|
|
- name: borne
|
|
target:
|
|
- serge
|
|
- lama
|
|
mx:
|
|
- exchange: mail
|
|
preference: 5
|
|
- exchange: proxy-ovh
|
|
preference: 10
|
|
txt:
|
|
- data: v=spf1 mx -all
|
|
a:
|
|
- address: 92.222.211.195
|
|
cname:
|
|
- name:
|
|
- gisti
|
|
- gistiti
|
|
target: jitsi
|
|
- name:
|
|
- element
|
|
- riot
|
|
- auth
|
|
- rss
|
|
- codimd
|
|
- hedgedoc
|
|
- grist
|
|
- kanboard
|
|
- www
|
|
- pad
|
|
- privatebin
|
|
- zero
|
|
- paste
|
|
target: proxy-ovh
|
|
- name:
|
|
- grafana
|
|
- nextcloud
|
|
- cloud
|
|
- office
|
|
target: proxy.pub.infra
|
|
- name:
|
|
- netbox
|
|
- wiki
|
|
- matrix
|
|
- drone
|
|
- gitea
|
|
- re2o
|
|
- vote
|
|
target: proxy
|
|
- name: intranet
|
|
target: re2o
|
|
- name:
|
|
- smtp
|
|
- imap
|
|
target: mail
|
|
- name:
|
|
- prometheus-paul.adh
|
|
- pma-paul.adh
|
|
- nextcloud-paul.adh
|
|
- grafana-paul.adh
|
|
- jellyfin.adh
|
|
- monitoring.adh
|
|
- beta-mpp.adh
|
|
- pz28.adh
|
|
target: lucepaul.myvnc.com.
|
|
- name:
|
|
- services-1.pve
|
|
target: services-1.pve.infra
|
|
- name:
|
|
- services-2.pve
|
|
target: services-2.pve.infra
|
|
- name:
|
|
- services-3.pve
|
|
target: services-3.pve.infra
|
|
hosts: "{{ knotd__hosts['auro.re']
|
|
| combine(knotd__hosts['adh.auro.re']
|
|
| add_origin_keys('adh.auro.re.')) }}"
|
|
|
|
test.auro.re:
|
|
dnssec_policy: public
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- xfr
|
|
soa:
|
|
mname: ns-master.int.infra.auro.re.
|
|
txt:
|
|
- data: v=spf1 mx -all
|
|
- name: _dmarc
|
|
data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra.auro.re.
|
|
- ns-2.pub.infra.auro.re.
|
|
- ns-3.ovh.infra.auro.re.
|
|
mx:
|
|
- exchange: mx
|
|
preference: 5
|
|
cname:
|
|
- name:
|
|
- www1
|
|
- www2
|
|
- www3
|
|
target: proxy.pub.infra.auro.re.
|
|
hosts:
|
|
mx:
|
|
- 2a09:6840:211::1:5
|
|
- 45.66.111.205
|
|
|
|
infra.auro.re:
|
|
dnssec_policy: infra
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- xfr
|
|
#queryacl: local
|
|
soa:
|
|
mname: ns-master.int
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra.auro.re.
|
|
- ns-2.pub.infra.auro.re.
|
|
- ns-3.ovh.infra.auro.re.
|
|
hosts:
|
|
services-1.ceph:
|
|
- 10.214.1.1
|
|
- "2a09:6840:214::1:1"
|
|
services-2.ceph:
|
|
- 10.214.1.2
|
|
- "2a09:6840:214::1:2"
|
|
services-3.ceph:
|
|
- 10.214.1.3
|
|
- "2a09:6840:209::1:3"
|
|
services-1.pve:
|
|
- 10.209.2.1
|
|
- 2a09:6840:209::2:1
|
|
services-2.pve:
|
|
- 10.209.2.2
|
|
- 2a09:6840:209::2:2
|
|
services-3.pve:
|
|
- 10.209.2.3
|
|
- 2a09:6840:209::2:3
|
|
ns-master.int:
|
|
- 10.128.0.110
|
|
- 2a09:6840:128:0::110
|
|
network-1.pve:
|
|
- 2a09:6840:209::1:1
|
|
- 10.209.1.1
|
|
network-2.pve:
|
|
- 2a09:6840:209::1:2
|
|
- 10.209.1.2
|
|
edge-1.back:
|
|
- 2a09:6840:203::1:1
|
|
- 10.203.1.1
|
|
edge-2.back:
|
|
- 2a09:6840:203::1:2
|
|
- 10.203.1.2
|
|
dns-1.int:
|
|
- 2a09:6840:206::1:1
|
|
- 10.206.1.1
|
|
dns-2.int:
|
|
- 2a09:6840:206::1:2
|
|
- 10.206.1.2
|
|
nis2.int:
|
|
- 2a09:6840:206::2:1
|
|
- 10.206.2.1
|
|
wg-1.vpn:
|
|
- 2a09:6840:213::1:3
|
|
- 10.213.1.3
|
|
wg-2.vpn:
|
|
- 2a09:6840:213::1:4
|
|
- 10.213.1.4
|
|
infra-1.back:
|
|
- 2a09:6840:203::1:3
|
|
- 10.203.1.3
|
|
infra-2.back:
|
|
- 2a09:6840:203::1:4
|
|
- 10.203.1.4
|
|
isp-1.back:
|
|
- 2a09:6840:203::1:5
|
|
- 10.203.1.5
|
|
isp-2.back:
|
|
- 2a09:6840:203::1:6
|
|
- 10.203.1.6
|
|
dhcp-1.isp:
|
|
- 2a09:6840:210::1:1
|
|
- 10.210.1.1
|
|
dhcp-2.isp:
|
|
- 2a09:6840:210::1:2
|
|
- 10.210.1.2
|
|
radius-1.isp:
|
|
- 2a09:6840:210::1:3
|
|
- 10.210.1.3
|
|
radius-2.isp:
|
|
- 2a09:6840:210::1:4
|
|
- 10.210.1.4
|
|
ldap-1.int:
|
|
- 10.128.10.8
|
|
- 2a09:6840:128::10:8
|
|
ldap-2.int:
|
|
- 10.128.10.108
|
|
- 2a09:6840:128::10:108
|
|
ntp-1.int:
|
|
- 2a09:6840:206::1:5
|
|
- 10.206.1.5
|
|
ntp-2.int:
|
|
- 2a09:6840:206::1:6
|
|
- 10.206.1.6
|
|
prometheus-1.monit:
|
|
- 2a09:6840:204::1:1
|
|
- 10.204.1.1
|
|
prometheus-2.monit:
|
|
- 2a09:6840:204::1:2
|
|
- 10.204.1.2
|
|
ff-1.core.sw:
|
|
#- 2a09:6840:207::1:1
|
|
- 10.207.1.1
|
|
ff-2.core.sw:
|
|
#- 2a09:6840:207::1:2
|
|
- 10.207.1.2
|
|
fl-1.core.sw:
|
|
#- 2a09:6840:207::1:3
|
|
- 10.207.1.3
|
|
fl-2.core.sw:
|
|
#- 2a09:6840:207::1:4
|
|
- 10.207.1.4
|
|
fd-1.core.sw:
|
|
#- 2a09:6840:207::1:5
|
|
- 10.207.1.5
|
|
ff-3.core.sw:
|
|
#- 2a09:6840:207::1:6
|
|
- 10.207.1.6
|
|
gk-1.core.sw:
|
|
#- 2a09:6840:207::2:1
|
|
- 10.207.2.1
|
|
eb-1.core.sw:
|
|
#- 2a09:6840:207::3:1
|
|
- 10.207.3.1
|
|
r3-1.core.sw:
|
|
#- 2a09:6840:207::4:1
|
|
- 10.207.4.1
|
|
eb-1.ups:
|
|
- 2a09:6840:201::3:1
|
|
- 10.201.3.1
|
|
ec-1.ups:
|
|
- 2a09:6840:201::3:2
|
|
- 10.201.3.2
|
|
mx.test:
|
|
- 2a09:6840:211::1:5
|
|
- 10.211.1.5
|
|
collabora.ext:
|
|
- 2a09:6840:211::1:1
|
|
- 10.211.1.1
|
|
proxy.pub:
|
|
- 2a09:6840:215::1:1
|
|
- 45.66.111.206
|
|
ns-1.pub:
|
|
- 2a09:6840:215::1:2
|
|
- 45.66.111.205
|
|
ns-2.pub:
|
|
- 2a09:6840:215::1:3
|
|
- 45.66.111.207
|
|
ns-3.ovh:
|
|
- 92.222.211.194
|
|
|
|
108.66.45.in-addr.arpa:
|
|
dnssec_policy: ripe
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- xfr
|
|
soa:
|
|
mname: ns-master.int.infra.auro.re.
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra.auro.re.
|
|
- ns-2.pub.infra.auro.re.
|
|
- ns-3.ovh.infra.auro.re.
|
|
|
|
109.66.45.in-addr.arpa:
|
|
dnssec_policy: ripe
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- xfr
|
|
soa:
|
|
mname: ns-master.int.infra.auro.re.
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra.auro.re.
|
|
- ns-2.pub.infra.auro.re.
|
|
- ns-3.ovh.infra.auro.re.
|
|
|
|
110.66.45.in-addr.arpa:
|
|
dnssec_policy: ripe
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- xfr
|
|
soa:
|
|
mname: ns-master.int.infra.auro.re.
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra.auro.re.
|
|
- ns-2.pub.infra.auro.re.
|
|
- ns-3.ovh.infra.auro.re.
|
|
reverse_hosts: "{{ knotd__hosts['adh.auro.re']
|
|
| ip_filter(['45.66.110.0/24'])
|
|
| add_origin_keys('adh.auro.re.') }}"
|
|
|
|
111.66.45.in-addr.arpa:
|
|
dnssec_policy: ripe
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- xfr
|
|
soa:
|
|
mname: ns-master.int.infra.auro.re.
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra.auro.re.
|
|
- ns-2.pub.infra.auro.re.
|
|
- ns-3.ovh.infra.auro.re.
|
|
reverse_hosts: "{{ knotd__hosts['auro.re']
|
|
| ip_filter(['45.66.111.0/24'])
|
|
| add_origin_keys('auro.re.') }}"
|
|
|
|
0.4.8.6.9.0.a.2.ip6.arpa:
|
|
dnssec_policy: ripe
|
|
notify:
|
|
- xfr-ns-1
|
|
- xfr-ns-2
|
|
- xfr-ns-3
|
|
acl:
|
|
- xfr
|
|
soa:
|
|
mname: ns-master.int.infra.auro.re.
|
|
ns:
|
|
- target:
|
|
- ns-1.pub.infra.auro.re.
|
|
- ns-2.pub.infra.auro.re.
|
|
- ns-3.ovh.infra.auro.re.
|
|
reverse_hosts: "{{ knotd__hosts['auro.re']
|
|
| ip_filter(['2a09:6840::/32'])
|
|
| add_origin_keys('auro.re.')
|
|
| combine(knotd__hosts['adh.auro.re']
|
|
| ip_filter(['2a09:6840::/32'])
|
|
| add_origin_keys('adh.auro.re.')) }}"
|
|
...
|