aurore/ansible
aurore/ansible
11
2
Fork 0
Code Issues 1 Pull requests 13 Releases Wiki Activity
ansible/playbooks/knotd.yml

561 lines
14 KiB
YAML
Executable file
Raw Blame History

#!/usr/bin/env ansible-playbook
---
- hosts: ns-master.int.infra.auro.re
vars:
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
ksk-infra:
algorithm: hmac-sha512
secret: "{{ vault_knotd_ksk_infra_key }}"
update-acme-challenge:
algorithm: hmac-sha512
secret: "{{ vault_certbot_dns_secret }}"
knotd__remotes:
xfr-ns-1:
address: 10.128.0.199
key: xfr
xfr-ns-2:
address: 10.128.0.109
key: xfr
ksk-infra:
address: ::1
key: ksk-infra
knotd__policies:
public:
algorithm: ECDSAP256SHA256
reproducible_signing: true
# Je n'ai pas trouvé de façon de pousser les records automatiquement
# sur .re, donc pour éviter d'oublier de le faire manuellement, la
# KSK n'expire pas
ksk_lifetime: 0
zsk_lifetime: 30d
nsec3: true
infra:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-infra
cds-cdnskey-publish: rollover
ksk-submission: infra
ripe:
algorithm: ECDSAP256SHA256
ksk_lifetime: 365d
zsk_lifetime: 30d
nsec3: on
ds-push: ksk-ripe
cds-cdnskey-publish: rollover
ksk-submission: ripe
knotd__acl:
xfr:
addresses:
- 10.128.0.199
- 2a09:6840:128::199
- 10.128.0.109
- 2a09:6840:128::109
action: transfer
key: xfr
ksk-infra:
addresses:
- 127.0.0.1
- ::1
key: ksk-infra
action: update
update_types:
- DS
update_owner: name
update_owner_match: equal
update_owner_name:
- infra
update-acme-challenge:
addresses:
- 10.128.0.0/16
- 2a09:6840:128::/48
key: update-acme-challenge
action: update
update_types:
- TXT
update_owner: name
update_owner_match: equal
update_owner_name:
- _acme-challenge.auro.re.
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__soa_rname: root@auro.re.
# TODO: Netbox
knotd__hosts:
auro.re:
proxy-ovh:
- 92.222.211.195
horus:
- 92.23.218.136
ns-1:
- 45.66.111.30
- 2a09:6840:111::30
ns-2:
- 92.222.211.194
serge:
- 92.222.211.196
lama:
- 185.230.78.220
- 2a0c:700:12:0:67:e5ff:fee9:108
vpn-ovh:
- 92.222.211.197
passerelle:
- 45.66.111.254
- 2a09:6840:111::254
proxy:
- 45.66.111.61
- 2a09:6840:111::61
camelot:
- 45.66.111.59
- 2a09:6840:111::59
mail:
- 45.66.111.62
- 2a09:6840:111::62
galene:
- 45.66.111.65
- 2a09:6840:111::65
aclyas:
- 45.66.111.231
- 2a09:6840:111::231
jitsi:
- 45.66.111.55
- 2a09:6840:111::55
portail-fleming:
- 10.13.0.247
- 2a09:6840:13::247
portail-pacaterie:
- 10.23.0.247
- 2a09:6840:23::247
portail-rives:
- 10.33.0.247
- 2a09:6840:33::247
portail-edc:
- 10.43.0.247
- 2a09:6840:43::247
portail-gs:
- 10.53.0.247
- 2a09:6840:53::247
adh.auro.re:
hoffman:
- 45.66.110.1
- 2a09:6840:110:0:2d8:61ff:fe56:d7eb
hindley:
- 45.66.110.3
- 2a09:6840:110:0:a6ba:dbff:fe03:1f36
yberreby:
- 45.66.110.5
- 2a09:6840:110:0:d896:1dff:fe59:8381
paon:
- 45.66.110.10
- 2a09:6840:110:0:231:92ff:fe1b:ae22
lovelace:
- 45.66.110.45
- 2a09:6840:110:0:c634:6bff:feb5:7bcc
switch-leo:
- 45.66.110.103
- 2a09:6840:110:0:82cc:9cff:fe82:ca3e
haskell:
- 45.66.110.112
- 2a09:6840:110:0:f4ac:cbff:fe81:7f48
lyshyga0:
- 45.66.110.113
- 2a09:6840:110:0:6af7:28ff:fe91:e8d9
pz28910:
- 45.66.110.114
vinsing0:
- 45.66.110.123
- 2a09:6840:110:0:1e1b:dff:fe90:7d81
osc-routeur:
- 45.66.110.125
- 2a09:6840:110:0:ba27:ebff:fe2d:c1a1
odroid:
- 45.66.110.154
- 2a09:6840:110:0:21e:6ff:fe49:e00
amau0:
- 45.66.110.164
- 2a09:6840:110:0:3e7c:3fff:fec3:27d1
regulus:
- 45.66.110.180
- 2a09:6840:110:0:2ef0:5dff:fe2a:1530
toaster:
- 45.66.110.188
- 2a09:6840:110:0:5246:5dff:fe9a:f70
rpijutax:
- 45.66.110.190
- 2a09:6840:110:0:ba27:ebff:fe76:a9bc
lafeychine:
- 45.66.110.200
- 2a09:6840:110:0:46a5:6eff:fe71:1
polaris:
- 45.66.110.245
- 2a09:6840:110:0:dea6:32ff:feb4:d033
knotd__zones:
auro.re:
dnssec_policy: public
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- update-acme-challenge
- ksk-infra
- xfr
soa:
mname: ns-master.int.infra
ns:
- target:
- ns-1
- ns-2
- name: infra
target:
- ns-1
- ns-2
- name: isp
target:
- ns-1
- ns-2
- name: adm
target:
- serge
- lama
- name: ups
target:
- serge
- lama
- name: switch
target:
- serge
- lama
- name: borne
target:
- serge
- lama
mx:
- exchange: mail
preference: 5
- exchange: proxy-ovh
preference: 10
spf:
- data: v=spf1 mx -all
a:
- address: 92.222.211.195
cname:
- name:
- element
- riot
- auth
- rss
- codimd
- hedgedoc
- kanboard
- www
- pad
- privatebin
- zero
- paste
- hétérogénéité
target: proxy-ovh
- name:
- grafana
- netbox
- wiki
- matrix
- drone
- gitea
- re2o
- nextcloud
target: proxy
- name: intranet
target: re2o
- name:
- smtp
- imap
target: mail
- name:
- prometheus-paul.adh
- pma-paul.adh
- nextcloud-paul.adh
- grafana-paul.adh
- jellyfin.adh
- monitoring.adh
- beta-mpp.adh
- pz28.adh
target: lucepaul.myvnc.com.
- name:
- services-1.pve
target: services-1.pve.infra
- name:
- services-2.pve
target: services-2.pve.infra
- name:
- services-3.pve
target: services-3.pve.infra
hosts: "{{ knotd__hosts['auro.re']
| combine(knotd__hosts['adh.auro.re']
| add_origin_keys('adh.auro.re.')) }}"
infra.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
hosts:
services-1.ceph:
- 10.132.1.1
- "2a09:6840:132:1:1::"
services-2.ceph:
- 10.132.1.2
- "2a09:6840:132:1:2::"
services-3.ceph:
- 10.132.1.3
- "2a09:6840:132:1:3::"
services-1.pve:
- 10.134.1.1
- 2a09:6840:132:1:1::1
services-2.pve:
- 10.134.1.2
- 2a09:6840:132:1:2::1
services-3.pve:
- 10.134.1.3
- 2a09:6840:132:1:3::1
ns-master.int:
- 10.128.0.110
- 2a09:6840:128:0::110
ec-1.ups:
- 10.131.4.1
- 2a09:6840:131::4:1
ec-2.ups:
- 10.131.4.2
- 2a09:6840:131::4:2
ldap-1.int:
- 10.128.0.10
- 2a09:6840:128::10
ntp-1.int:
- 10.128.0.203
- 2a09:6840:128::203
dns-1.int:
- 10.128.0.127
- 2a09:6840:128::127
isp-1.rtr:
- 10.128.0.255
- 2a09:6840:128::255
isp-2.rtr:
- 10.128.0.158
- 2a09:6840:128::158
edge-1.rtr:
- 10.128.0.186
- 2a09:6840:128::186
edge-2.rtr:
- 10.128.0.228
- 2a09:6840:128::228
infra-1.rtr:
- 10.128.2.76
- 2a09:6840:128::2:76
infra-2.rtr:
- 10.128.2.27
- 2a09:6840:128::2:27
radius-1.isp:
- 10.128.0.208
- 2a09:6840:128::208
isp.auro.re:
dnssec_policy: infra
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
#queryacl: local
soa:
mname: ns-master.int.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
hosts:
dhcp-1:
- 10.128.0.204
- 2a09:6840:128::204
dhcp-2:
- 10.128.0.91
- 2a09:6840:128::91
108.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
109.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
110.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
reverse_hosts: "{{ knotd__hosts['adh.auro.re']
| ip_filter(['45.66.110.0/24'])
| add_origin_keys('adh.auro.re.') }}"
111.66.45.in-addr.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['45.66.111.0/24'])
| add_origin_keys('auro.re.') }}"
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_policy: ripe
notify:
- xfr-ns-1
- xfr-ns-2
acl:
- xfr
soa:
mname: ns-master.int.infra.auro.re.
ns:
- target:
- ns-1.auro.re.
- ns-2.auro.re.
reverse_hosts: "{{ knotd__hosts['auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('auro.re.')
| combine(knotd__hosts['adh.auro.re']
| ip_filter(['2a09:6840::/32'])
| add_origin_keys('adh.auro.re.')) }}"
#reverse: "{{ nb_dns_reverse(ranges={'45.66.108.0/24'},
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
#hosts: "{{ nb_dns_hosts(vlans={'int', 'ceph', 'ext', 'bmc'},
# vlan_suffixes=nb__dns_vlan_suffixes) }}"
#nb_dns__vlan_suffixes:
# external-services: ext.infra.auro.re.
# wifi-access-points: wifi.infra.auro.re.
# monitoring: monit.infra.auro.re.
# routers: rtr.infra.auro.re.
# services-ceph: ceph.infra.auro.re.
# ups: ups.infra.auro.re.
# switchs: sw.infra.auro.re.
# internal-services: int.infra.auro.re.
# bmc: bmc.infra.auro.re.
roles:
- knotd
- hosts:
- ns-1.auro.re
- ns-2.auro.re
vars:
knotd__listen:
- address: 0.0.0.0
- address: "::"
knotd__keys:
xfr:
algorithm: hmac-sha512
secret: "{{ vault_knotd_xfr_key }}"
knotd__remotes:
xfr-master:
address: 10.128.0.110
key: xfr
knotd__acl:
notify-master:
address:
- 10.128.0.110
- 2a09:6840:128::110
key: xfr
action: notify
knotd__queryacl:
local:
addresses:
- 10.0.0.0/8
knotd__zones:
auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
infra.auro.re:
dnssec_validation: true
acl:
- notify-master
#queryacl: local
master: xfr-master
isp.auro.re:
dnssec_validation: true
acl:
- notify-master
master: xfr-master
108.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
109.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
110.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
111.66.45.in-addr.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
0.4.8.6.9.0.a.2.ip6.arpa:
dnssec_validation: false
acl:
- notify-master
master: xfr-master
roles:
- knotd
...
Reference in a new issue View git blame Copy permalink