ansible/host_vars/ns-master.int.infra.auro.re/knotd.yml

615 lines
13 KiB
YAML

---
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
ksk-infra:
algorithm: hmac-sha512
secret: "{{ vault_knotd_ksk_infra_key }}"
update-acme-challenge:
algorithm: hmac-sha512
secret: "{{ vault_certbot_dns_secret }}"
knotd__remotes:
xfr-ns-1:
address: 2a09:6840:215::1:2
key: xfr
xfr-ns-2:
address: 2a09:6840:215::1:3
key: xfr
xfr-ns-3:
address: 10.128.0.109
key: xfr
ksk-infra:
address: ::1
key: ksk-infra
knotd__policies:
public:
algorithm: ECDSAP256SHA256
reproducible_signing: true
# Je n'ai pas trouvé de façon de pousser les records automatiquement
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
# KSK n'expire pas
ksk_lifetime: 0
zsk_lifetime: 30d
nsec3: true
infra:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-infra
cds-cdnskey-publish: rollover
ksk-submission: infra
ripe:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-ripe
cds-cdnskey-publish: rollover
ksk-submission: ripe
knotd__acl:
xfr:
addresses:
- 2a09:6840:128::109
- 10.128.0.109
- 2a09:6840:215::1:2
- 45.66.111.205
- 2a09:6840:215::1:3
- 45.66.111.207
action: transfer
key: xfr
ksk-infra:
addresses:
- 127.0.0.1
- ::1
key: ksk-infra
action: update
update_types:
- DS
update_owner: name
update_owner_match: equal
update_owner_name:
- infra
update-acme-challenge:
addresses:
- 10.128.0.0/16
- 2a09:6840:128::/48
key: update-acme-challenge
action: update
update_types:
- TXT
update_owner: name
update_owner_match: equal
update_owner_name:
- _acme-challenge.auro.re.
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__soa_rname: root@auro.re.
knotd__hosts:
auro.re:
proxy-ovh:
- 92.222.211.195
horus:
- 92.23.218.136
ns-1:
- 45.66.111.205
- 2a09:6840:215::1:2
ns-2:
- 92.222.211.194
serge:
- 92.222.211.196
lama:
- 185.230.78.220
- 2a0c:700:12:0:67:e5ff:fee9:108
vpn-ovh:
- 92.222.211.197
passerelle:
- 45.66.111.254
- 2a09:6840:111::254
proxy:
- 45.66.111.61
- 2a09:6840:111::61
camelot:
- 45.66.111.59
- 2a09:6840:111::59
mail:
- 45.66.111.62
- 2a09:6840:111::62
galene:
- 45.66.111.65
- 2a09:6840:111::65
aclyas:
- 45.66.111.231
- 2a09:6840:111::231
jitsi:
- 45.66.111.55
- 2a09:6840:111::55
portail-fleming:
- 10.13.0.247
- 2a09:6840:13::247
portail-pacaterie:
- 10.23.0.247
- 2a09:6840:23::247
portail-rives:
- 10.33.0.247
- 2a09:6840:33::247
portail-edc:
- 10.43.0.247
- 2a09:6840:43::247
portail-gs:
- 10.53.0.247
- 2a09:6840:53::247
grocy.bric:
- 45.66.111.133
- 2a09:6840:111::133
adh.auro.re:
hoffman:
- 45.66.110.1
- 2a09:6840:110:0:2d8:61ff:fe56:d7eb
hindley:
- 45.66.110.3
- 2a09:6840:110:0:a6ba:dbff:fe03:1f36
yberreby:
- 45.66.110.5
- 2a09:6840:110:0:d896:1dff:fe59:8381
paon:
- 45.66.110.10
- 2a09:6840:110:0:231:92ff:fe1b:ae22
lovelace:
- 45.66.110.45
- 2a09:6840:110:0:c634:6bff:feb5:7bcc
switch-leo:
- 45.66.110.103
- 2a09:6840:110:0:82cc:9cff:fe82:ca3e
haskell:
- 45.66.110.112
- 2a09:6840:110:0:f4ac:cbff:fe81:7f48
lyshyga0:
- 45.66.110.113
- 2a09:6840:110:0:6af7:28ff:fe91:e8d9
pz28910:
- 45.66.110.114
vinsing0:
- 45.66.110.123
- 2a09:6840:110:0:1e1b:dff:fe90:7d81
osc-routeur:
- 45.66.110.125
- 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
odroid:
- 45.66.110.154
- 2a09:6840:110:0:21e:6ff:fe49:e00
amau0:
- 45.66.110.164
- 2a09:6840:110:0:3e7c:3fff:fec3:27d1
regulus:
- 45.66.110.180
- 2a09:6840:110:0:2ef0:5dff:fe2a:1530
toaster:
- 45.66.110.188
- 2a09:6840:110:0:5246:5dff:fe9a:f70
rpijutax:
- 45.66.110.190
- 2a09:6840:110:0:ba27:ebff:fe76:a9bc
lafeychine:
- 45.66.110.200
- 2a09:6840:110:0:46a5:6eff:fe71:1
polaris:
- 45.66.110.245
- 2a09:6840:110:0:dea6:32ff:feb4:d033
knotd__zones:
auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- update-acme-challenge
- ksk-infra
- xfr
soa:
mname: ns-master.int.infra
ns:
- target:
- ns-1.pub.infra
- ns-2.pub.infra
- ns-3.ovh.infra
- name: infra
target:
- ns-1.pub.infra
- ns-2.pub.infra
- ns-3.ovh.infra
- name: test
target:
- ns-1.pub.infra
- ns-2.pub.infra
- ns-3.ovh.infra
- name: adm
target:
- serge
- lama
- name: ups
target:
- serge
- lama
- name: switch
target:
- serge
- lama
- name: borne
target:
- serge
- lama
mx:
- exchange: mail
preference: 5
- exchange: proxy-ovh
preference: 10
txt:
- data: v=spf1 mx -all
a:
- address: 92.222.211.195
cname:
- name:
- gisti
- gistiti
target: jitsi
- name:
- element
- riot
- auth
- rss
- codimd
- hedgedoc
- grist
- kanboard
- www
- pad
- privatebin
- zero
- paste
target: proxy-ovh
- name:
- grafana
- nextcloud
- cloud
- office
target: proxy.pub.infra
- name:
- netbox
- wiki
- matrix
- drone
- gitea
- re2o
- vote
target: proxy
- name: intranet
target: re2o
- name:
- smtp
- imap
target: mail
- name:
- prometheus-paul.adh
- pma-paul.adh
- nextcloud-paul.adh
- grafana-paul.adh
- jellyfin.adh
- monitoring.adh
- beta-mpp.adh
- pz28.adh
target: lucepaul.myvnc.com.
- name:
- services-1.pve
target: services-1.pve.infra
- name:
- services-2.pve
target: services-2.pve.infra
- name:
- services-3.pve
target: services-3.pve.infra
hosts: "{{ knotd__hosts['auro.re']
| combine(knotd__hosts['adh.auro.re']
| add_origin_keys('adh.auro.re.')) }}"
test.auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
txt:
- data: v=spf1 mx -all
- name: _dmarc
data: v=DMARC1;p=quarantine;pct=100;rua=mailto:postmaster@test.auro.re;ruf=mailto:postmaster@test.auro.re
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
mx:
- exchange: mx
preference: 5
cname:
- name:
- www1
- www2
- www3
target: proxy.pub.infra.auro.re.
hosts:
mx:
- 2a09:6840:211::1:5
- 45.66.111.205
infra.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
hosts:
services-1.ceph:
- 10.214.1.1
- "2a09:6840:214::1:1"
services-2.ceph:
- 10.214.1.2
- "2a09:6840:214::1:2"
services-3.ceph:
- 10.214.1.3
- "2a09:6840:209::1:3"
services-1.pve:
- 10.209.2.1
- 2a09:6840:209::2:1
services-2.pve:
- 10.209.2.2
- 2a09:6840:209::2:2
services-3.pve:
- 10.209.2.3
- 2a09:6840:209::2:3
ns-master.int:
- 10.128.0.110
- 2a09:6840:128:0::110
network-1.pve:
- 2a09:6840:209::1:1
- 10.209.1.1
network-2.pve:
- 2a09:6840:209::1:2
- 10.209.1.2
edge-1.back:
- 2a09:6840:203::1:1
- 10.203.1.1
edge-2.back:
- 2a09:6840:203::1:2
- 10.203.1.2
dns-1.int:
- 2a09:6840:206::1:1
- 10.206.1.1
dns-2.int:
- 2a09:6840:206::1:2
- 10.206.1.2
nis2.int:
- 2a09:6840:206::2:1
- 10.206.2.1
wg-1.vpn:
- 2a09:6840:213::1:3
- 10.213.1.3
wg-2.vpn:
- 2a09:6840:213::1:4
- 10.213.1.4
infra-1.back:
- 2a09:6840:203::1:3
- 10.203.1.3
infra-2.back:
- 2a09:6840:203::1:4
- 10.203.1.4
isp-1.back:
- 2a09:6840:203::1:5
- 10.203.1.5
isp-2.back:
- 2a09:6840:203::1:6
- 10.203.1.6
dhcp-1.isp:
- 2a09:6840:210::1:1
- 10.210.1.1
dhcp-2.isp:
- 2a09:6840:210::1:2
- 10.210.1.2
radius-1.isp:
- 2a09:6840:210::1:3
- 10.210.1.3
radius-2.isp:
- 2a09:6840:210::1:4
- 10.210.1.4
ldap-1.int:
- 10.128.10.8
- 2a09:6840:128::10:8
ldap-2.int:
- 10.128.10.108
- 2a09:6840:128::10:108
ntp-1.int:
- 2a09:6840:206::1:5
- 10.206.1.5
ntp-2.int:
- 2a09:6840:206::1:6
- 10.206.1.6
prometheus-1.monit:
- 2a09:6840:204::1:1
- 10.204.1.1
prometheus-2.monit:
- 2a09:6840:204::1:2
- 10.204.1.2
ff-1.core.sw:
#- 2a09:6840:207::1:1
- 10.207.1.1
ff-2.core.sw:
#- 2a09:6840:207::1:2
- 10.207.1.2
fl-1.core.sw:
#- 2a09:6840:207::1:3
- 10.207.1.3
fl-2.core.sw:
#- 2a09:6840:207::1:4
- 10.207.1.4
fd-1.core.sw:
#- 2a09:6840:207::1:5
- 10.207.1.5
ff-3.core.sw:
#- 2a09:6840:207::1:6
- 10.207.1.6
gk-1.core.sw:
#- 2a09:6840:207::2:1
- 10.207.2.1
eb-1.core.sw:
#- 2a09:6840:207::3:1
- 10.207.3.1
r3-1.core.sw:
#- 2a09:6840:207::4:1
- 10.207.4.1
eb-1.ups:
- 2a09:6840:201::3:1
- 10.201.3.1
ec-1.ups:
- 2a09:6840:201::3:2
- 10.201.3.2
mx.test:
- 2a09:6840:211::1:5
- 10.211.1.5
collabora.ext:
- 2a09:6840:211::1:1
- 10.211.1.1
proxy.pub:
- 2a09:6840:215::1:1
- 45.66.111.206
ns-1.pub:
- 2a09:6840:215::1:2
- 45.66.111.205
ns-2.pub:
- 2a09:6840:215::1:3
- 45.66.111.207
ns-3.ovh:
- 92.222.211.194
108.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
109.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
110.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['adh.auro.re']
| ip_filter(['45.66.110.0/24'])
| add_origin_keys('adh.auro.re.') }}"
111.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['45.66.111.0/24'])
| add_origin_keys('auro.re.') }}"
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
- xfr-ns-3
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.pub.infra.auro.re.
- ns-2.pub.infra.auro.re.
- ns-3.ovh.infra.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('auro.re.')
| combine(knotd__hosts['adh.auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('adh.auro.re.')) }}"
...