From f880e43321e5e730d06f4d63846501b5908e28e4 Mon Sep 17 00:00:00 2001 From: s3lph Date: Sat, 16 Jan 2021 02:00:19 +0100 Subject: [PATCH] knot monoculture --- galaxy.yml | 3 +- roles/{master => knot}/defaults/main.yml | 3 +- roles/{master => knot}/handlers/main.yml | 0 roles/knot/tasks/config.yml | 35 +++++++ roles/{master => knot}/tasks/install.yml | 0 roles/{master => knot}/tasks/main.yml | 0 roles/knot/templates/etc/knot/knot.conf.j2 | 95 +++++++++++++++++++ .../templates/var/lib/knot/master/zone.j2 | 0 roles/master/tasks/config.yml | 64 ------------- roles/master/templates/etc/knot/knot.conf.j2 | 5 - .../etc/knot/knot.d/00-server.conf.j2 | 14 --- .../etc/knot/knot.d/10-master.conf.j2 | 46 --------- roles/replica/defaults/main.yml | 14 --- roles/replica/handlers/main.yml | 6 -- roles/replica/tasks/config.yml | 35 ------- roles/replica/tasks/install.yml | 12 --- roles/replica/tasks/main.yml | 13 --- .../etc/nsd/nsd.conf.d/00-server.conf.j2 | 18 ---- .../etc/nsd/nsd.conf.d/10-replica.conf.j2 | 21 ---- roles/replica/templates/etc/nsd/nsd.conf.j2 | 13 --- 20 files changed, 133 insertions(+), 264 deletions(-) rename roles/{master => knot}/defaults/main.yml (81%) rename roles/{master => knot}/handlers/main.yml (100%) create mode 100644 roles/knot/tasks/config.yml rename roles/{master => knot}/tasks/install.yml (100%) rename roles/{master => knot}/tasks/main.yml (100%) create mode 100644 roles/knot/templates/etc/knot/knot.conf.j2 rename roles/{master => knot}/templates/var/lib/knot/master/zone.j2 (100%) delete mode 100644 roles/master/tasks/config.yml delete mode 100644 roles/master/templates/etc/knot/knot.conf.j2 delete mode 100644 roles/master/templates/etc/knot/knot.d/00-server.conf.j2 delete mode 100644 roles/master/templates/etc/knot/knot.d/10-master.conf.j2 delete mode 100644 roles/replica/defaults/main.yml delete mode 100644 roles/replica/handlers/main.yml delete mode 100644 roles/replica/tasks/config.yml delete mode 100644 roles/replica/tasks/install.yml delete mode 100644 roles/replica/tasks/main.yml delete mode 100644 roles/replica/templates/etc/nsd/nsd.conf.d/00-server.conf.j2 delete mode 100644 roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2 delete mode 100644 roles/replica/templates/etc/nsd/nsd.conf.j2 diff --git a/galaxy.yml b/galaxy.yml index 44fb1f1..531884e 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -8,7 +8,7 @@ namespace: s3lph name: nameserver # The version of the collection. Must be compatible with semantic versioning -version: 1.0.0 +version: 0.2 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection readme: README.md @@ -37,7 +37,6 @@ license_file: '' tags: - dns - knot - - nsd - nameserver - dnssec diff --git a/roles/master/defaults/main.yml b/roles/knot/defaults/main.yml similarity index 81% rename from roles/master/defaults/main.yml rename to roles/knot/defaults/main.yml index 61ac29f..f40b055 100644 --- a/roles/master/defaults/main.yml +++ b/roles/knot/defaults/main.yml @@ -11,7 +11,8 @@ knot_log_targets: - target: syslog level: info -knot_zone_storage_path: /var/lib/knot/master +knot_zone_master_storage_path: /var/lib/knot/master +knot_zone_replica_storage_path: /var/lib/knot/replica knot_zone_semantic_checks: 'on' knot_zone_dnssec_signing: 'on' diff --git a/roles/master/handlers/main.yml b/roles/knot/handlers/main.yml similarity index 100% rename from roles/master/handlers/main.yml rename to roles/knot/handlers/main.yml diff --git a/roles/knot/tasks/config.yml b/roles/knot/tasks/config.yml new file mode 100644 index 0000000..cd5591b --- /dev/null +++ b/roles/knot/tasks/config.yml @@ -0,0 +1,35 @@ +--- + +- name: create knot zone directories + file: + path: "{{ item }}" + state: directory + owner: knot + group: knot + mode: 0750 + loop: + - "{{ knot_zone_master_storage_path }}" + - "{{ knot_zone_replica_storage_path }}" + +- name: render knot zone files + template: + src: var/lib/knot/master/zone.j2 + dest: "{{ knot_zone_master_storage_path }}/{{ item.name }}.zone" + owner: knot + group: knot + mode: 0640 + validate: /usr/bin/kzonecheck -v %s + when: "inventory_hostname in item.masters" + loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}" + notify: reload knot + +- name: render knot master config + template: + src: etc/knot/knot.conf.j2 + dest: /etc/knot/knot.conf + owner: knot + group: knot + mode: 0640 + vars: + zones: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}" + notify: reload knot diff --git a/roles/master/tasks/install.yml b/roles/knot/tasks/install.yml similarity index 100% rename from roles/master/tasks/install.yml rename to roles/knot/tasks/install.yml diff --git a/roles/master/tasks/main.yml b/roles/knot/tasks/main.yml similarity index 100% rename from roles/master/tasks/main.yml rename to roles/knot/tasks/main.yml diff --git a/roles/knot/templates/etc/knot/knot.conf.j2 b/roles/knot/templates/etc/knot/knot.conf.j2 new file mode 100644 index 0000000..614be81 --- /dev/null +++ b/roles/knot/templates/etc/knot/knot.conf.j2 @@ -0,0 +1,95 @@ +{{ ansible_managed | comment }} + +# See knot.conf(5) or refer to the server documentation. + +server: + rundir: "{{ knot_server_rundir }}" + user: "{{ knot_server_user }}:{{ knot_server_group }}" +{% for addr in knot_server_listen %} + listen: "{{ addr }}" +{% endfor %} + +log: +{% for target in knot_log_targets %} + - target: "{{ target.target }}" + any: "{{ target.level }}" +{% endfor %} + + +# +# ALL KNOWN REMOTES +# + +remote: +{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %} + - id: remote-{{ remote }} +{% for address in hostvars[remote].knot_dns_addresses %} + address: "{{ address }}" +{% endfor %} +{% endfor %} + +acl: +{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %} + - id: acl-xfr-{{ remote }} + action: transfer +{% for address in hostvars[remote].knot_dns_addresses %} + address: "{{ address }}" +{% endfor %} +{% endfor %} + +# +# MASTER ZONES +# + +{% for zone in zones %} +{% if inventory_hostname in zone.masters %} + +policy: + - id: dnssec-{{ zone.name }} + algorithm: {{ knot_dnssec_policy_algorithm }} + nsec3: {{ knot_dnssec_policy_nsec3 }} + ksk-size: {{ knot_dnssec_policy_ksk_size }} + zsk-size: {{ knot_dnssec_policy_zsk_size }} + ksk-shared: {{ knot_dnssec_policy_ksk_shared }} + cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }} + +zone: + - domain: {{ zone.name }}. + storage: {{ knot_zone_master_storage_path }} + semantic-checks: {{ knot_zone_semantic_checks }} + serial-policy: unixtime + zonefile-load: difference + dnssec-signing: {{ knot_zone_dnssec_signing }} + dnssec-policy: dnssec-{{ zone.name }} +{% for replica in zone.replicas %} + acl: acl-xfr-{{ replica }} +{% endfor %} +{% for replica in zone.replicas %} + notify: remote-{{ replica }} +{% endfor %} + +{% endif %} +{% endfor %} + + +# +# REPLICA ZONES +# + +{% for zone in zones %} +{% if inventory_hostname in zone.replicas %} + +zone: + - domain: {{ zone.name }}. + storage: {{ knot_zone_replica_storage_path }} + serial-policy: unixtime +{% for master in zone.masters %} + acl: acl-xfr-{{ master }} +{% endfor %} +{% for master in zone.masters %} + master: remote-{{ master }} +{% endfor %} + +{% endif %} +{% endfor %} + diff --git a/roles/master/templates/var/lib/knot/master/zone.j2 b/roles/knot/templates/var/lib/knot/master/zone.j2 similarity index 100% rename from roles/master/templates/var/lib/knot/master/zone.j2 rename to roles/knot/templates/var/lib/knot/master/zone.j2 diff --git a/roles/master/tasks/config.yml b/roles/master/tasks/config.yml deleted file mode 100644 index 9f44d5d..0000000 --- a/roles/master/tasks/config.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- - -- name: render knot master config - template: - src: etc/knot/knot.conf.j2 - dest: /etc/knot/knot.conf - owner: knot - group: knot - mode: 0640 - notify: reload knot - -- name: create knot config directory - file: - path: /etc/knot/knot.d - state: directory - owner: knot - group: knot - mode: 0750 - -- name: create knot zone directory - file: - path: /var/lib/knot/master - state: directory - owner: knot - group: knot - mode: 0750 - -- name: render knot zone files - template: - src: var/lib/knot/master/zone.j2 - dest: "/var/lib/knot/master/{{ zone.name }}zone" - owner: knot - group: knot - mode: 0640 - validate: /usr/bin/kzonecheck -v %s - vars: - zone: "{{ hostvars[inventory_hostname]['knot_zone_' + item.1] }}" - loop: "{{ knot_zone_groups | subelements('zones') }}" - notify: reload knot - -- name: render knot server config - template: - src: etc/knot/knot.d/00-server.conf.j2 - dest: /etc/knot/knot.d/00-server.conf - owner: knot - group: knot - mode: 0640 - notify: reload knot - -- name: render knot master configs - template: - src: etc/knot/knot.d/10-master.conf.j2 - dest: "/etc/knot/knot.d/{{ 10+i }}-master-{{ item.name }}.conf" - owner: root - group: root - mode: 0644 - vars: - name: "{{ item.name }}" - replicas: "{{ item.replicas }}" - zones: "{{ item.zones }}" - loop: "{{ knot_zone_groups }}" - loop_control: - index_var: i - notify: reload knot diff --git a/roles/master/templates/etc/knot/knot.conf.j2 b/roles/master/templates/etc/knot/knot.conf.j2 deleted file mode 100644 index 1c02956..0000000 --- a/roles/master/templates/etc/knot/knot.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{{ ansible_managed | comment }} - -# See knot.conf(5) or refer to the server documentation. - -include: /etc/knot/knot.d/*.conf diff --git a/roles/master/templates/etc/knot/knot.d/00-server.conf.j2 b/roles/master/templates/etc/knot/knot.d/00-server.conf.j2 deleted file mode 100644 index 6638a90..0000000 --- a/roles/master/templates/etc/knot/knot.d/00-server.conf.j2 +++ /dev/null @@ -1,14 +0,0 @@ -{{ ansible_managed | comment }} - -server: - rundir: "{{ knot_server_rundir }}" - user: "{{ knot_server_user }}:{{ knot_server_group }}" -{% for addr in knot_server_listen %} - listen: "{{ addr }}" -{% endfor %} - -log: -{% for target in knot_log_targets %} - - target: "{{ target.target }}" - any: "{{ target.level }}" -{% endfor %} diff --git a/roles/master/templates/etc/knot/knot.d/10-master.conf.j2 b/roles/master/templates/etc/knot/knot.d/10-master.conf.j2 deleted file mode 100644 index dcec5c8..0000000 --- a/roles/master/templates/etc/knot/knot.d/10-master.conf.j2 +++ /dev/null @@ -1,46 +0,0 @@ -{{ ansible_managed | comment }} - -# -# Master configuration for zones in group {{ name }} -# - -acl: - - id: xfr-{{ name }} - action: transfer -{% for replica in replicas %} - address: "{{ replica }}" -{% endfor %} - -remote: -{% for replica in replicas %} - - id: remote-{{ name }}-{{ loop.index0 }} - address: "{{ replica }}" -{% endfor %} - -policy: - - id: dnssec-{{ name }} - algorithm: {{ knot_dnssec_policy_algorithm }} - nsec3: {{ knot_dnssec_policy_nsec3 }} - ksk-size: {{ knot_dnssec_policy_ksk_size }} - zsk-size: {{ knot_dnssec_policy_zsk_size }} - ksk-shared: {{ knot_dnssec_policy_ksk_shared }} - cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }} - -template: - - id: {{ name }} - storage: {{ knot_zone_storage_path }} - semantic-checks: {{ knot_zone_semantic_checks }} - serial-policy: unixtime - zonefile-load: difference - dnssec-signing: {{ knot_zone_dnssec_signing }} - dnssec-policy: dnssec-{{ name }} - acl: xfr-{{ name }} -{% for replica in replicas %} - notify: remote-{{ name }}-{{ loop.index0 }} -{% endfor %} - -zone: -{% for zone in zones %} - - domain: {{ zone }}. - template: {{ name }} -{% endfor %} diff --git a/roles/replica/defaults/main.yml b/roles/replica/defaults/main.yml deleted file mode 100644 index a6546b0..0000000 --- a/roles/replica/defaults/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -nsd_server_hide_version: yes -nsd_server_verbosity: 1 -nsd_server_database: "" # disable database -nsd_server_zonefile_write: 300 -nsd_server_listen: - - "::@53" - - "0.0.0.0@53" -nsd_server_minimal_responses: yes -nsd_server_refuse_any: yes - -nsd_remote_control_enable: yes -nsd_remote_control_interface: /var/run/nsd.sock diff --git a/roles/replica/handlers/main.yml b/roles/replica/handlers/main.yml deleted file mode 100644 index 6490ef0..0000000 --- a/roles/replica/handlers/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- name: reload nsd - service: - name: nsd - state: reloaded diff --git a/roles/replica/tasks/config.yml b/roles/replica/tasks/config.yml deleted file mode 100644 index 4f5bc66..0000000 --- a/roles/replica/tasks/config.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -- name: render nsd main config - template: - src: etc/nsd/nsd.conf.j2 - dest: /etc/nsd/nsd.conf - owner: root - group: root - mode: 0644 - notify: reload nsd - -- name: render nsd server config - template: - src: etc/nsd/nsd.conf.d/00-server.conf.j2 - dest: /etc/nsd/nsd.conf.d/00-server.conf - owner: root - group: root - mode: 0644 - notify: reload nsd - -- name: render nsd replica configs - template: - src: etc/nsd/nsd.conf.d/10-replica.conf.j2 - dest: "/etc/nsd/nsd.conf.d/{{ 10+i }}-replica-{{ item.primary }}.conf" - owner: root - group: root - mode: 0644 - vars: - primary: "{{ item.primary }}" - masters: "{{ item.masters }}" - zones: "{{ item.zones }}" - loop: "{{ nsd_zone_groups }}" - loop_control: - index_var: i - notify: reload nsd diff --git a/roles/replica/tasks/install.yml b/roles/replica/tasks/install.yml deleted file mode 100644 index f642a0d..0000000 --- a/roles/replica/tasks/install.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- - -- name: install nsd - package: - name: nsd - state: present - -- name: start and enable nsd - service: - name: nsd - state: started - enabled: yes diff --git a/roles/replica/tasks/main.yml b/roles/replica/tasks/main.yml deleted file mode 100644 index 363890a..0000000 --- a/roles/replica/tasks/main.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- - -- name: install nsd - import_tasks: install.yml - tags: - - "role::nameserver:replica" - - "role::nameserver:replica:install" - -- name: configure nsd - import_tasks: config.yml - tags: - - "role::nameserver:replica" - - "role::nameserver:replica:config" diff --git a/roles/replica/templates/etc/nsd/nsd.conf.d/00-server.conf.j2 b/roles/replica/templates/etc/nsd/nsd.conf.d/00-server.conf.j2 deleted file mode 100644 index cd34420..0000000 --- a/roles/replica/templates/etc/nsd/nsd.conf.d/00-server.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -{{ ansible_managed | comment }} - -server: - hide-version: {{ nsd_server_hide_version | ternary('yes', 'no') }} - verbosity: {{ nsd_server_verbosity }} - database: "{{ nsd_server_database }}" - zonefiles-write: {{ nsd_server_zonefile_write }} - -{% for addr in nsd_server_listen %} - ip-address: "{{ addr }}" -{% endfor %} - - minimal-responses: {{ nsd_server_minimal_responses | ternary('yes', 'no') }} - refuse-any: {{ nsd_server_refuse_any | ternary('yes', 'no') }} - -remote-control: - control-enable: {{ nsd_remote_control_enable | ternary('yes', 'no') }} - control-interface: {{ nsd_remote_control_interface }} diff --git a/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2 b/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2 deleted file mode 100644 index 6fa181c..0000000 --- a/roles/replica/templates/etc/nsd/nsd.conf.d/10-replica.conf.j2 +++ /dev/null @@ -1,21 +0,0 @@ -{{ ansible_managed | comment }} - -# -# Replica for zones of primary {{ primary }} -# - -pattern: - name: xfr-{{ primary }} - zonefile: "/var/lib/nsd/replica/%szone" -{% for addr in masters %} - allow-notify: {{ addr }} NOKEY -{% endfor %} -{% for addr in masters %} - request-xfr: {{ addr }} NOKEY -{% endfor %} - -{% for zone in zones %} -zone: - name: {{ zone }}. - include-pattern: "xfr-{{ primary }}" -{% endfor %} diff --git a/roles/replica/templates/etc/nsd/nsd.conf.j2 b/roles/replica/templates/etc/nsd/nsd.conf.j2 deleted file mode 100644 index 937eac5..0000000 --- a/roles/replica/templates/etc/nsd/nsd.conf.j2 +++ /dev/null @@ -1,13 +0,0 @@ -{{ ansible_managed | comment }} - -# NSD configuration file for Debian. -# -# See the nsd.conf(5) man page. -# -# See /usr/share/doc/nsd/examples/nsd.conf for a commented -# reference config file. -# -# The following line includes additional configuration files from the -# /etc/nsd/nsd.conf.d directory. - -include: "/etc/nsd/nsd.conf.d/*.conf"