knot monoculture
This commit is contained in:
parent
3e70575d78
commit
f880e43321
20 changed files with 133 additions and 264 deletions
|
@ -8,7 +8,7 @@ namespace: s3lph
|
||||||
name: nameserver
|
name: nameserver
|
||||||
|
|
||||||
# The version of the collection. Must be compatible with semantic versioning
|
# The version of the collection. Must be compatible with semantic versioning
|
||||||
version: 1.0.0
|
version: 0.2
|
||||||
|
|
||||||
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
|
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
|
||||||
readme: README.md
|
readme: README.md
|
||||||
|
@ -37,7 +37,6 @@ license_file: ''
|
||||||
tags:
|
tags:
|
||||||
- dns
|
- dns
|
||||||
- knot
|
- knot
|
||||||
- nsd
|
|
||||||
- nameserver
|
- nameserver
|
||||||
- dnssec
|
- dnssec
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,8 @@ knot_log_targets:
|
||||||
- target: syslog
|
- target: syslog
|
||||||
level: info
|
level: info
|
||||||
|
|
||||||
knot_zone_storage_path: /var/lib/knot/master
|
knot_zone_master_storage_path: /var/lib/knot/master
|
||||||
|
knot_zone_replica_storage_path: /var/lib/knot/replica
|
||||||
knot_zone_semantic_checks: 'on'
|
knot_zone_semantic_checks: 'on'
|
||||||
knot_zone_dnssec_signing: 'on'
|
knot_zone_dnssec_signing: 'on'
|
||||||
|
|
35
roles/knot/tasks/config.yml
Normal file
35
roles/knot/tasks/config.yml
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: create knot zone directories
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: knot
|
||||||
|
group: knot
|
||||||
|
mode: 0750
|
||||||
|
loop:
|
||||||
|
- "{{ knot_zone_master_storage_path }}"
|
||||||
|
- "{{ knot_zone_replica_storage_path }}"
|
||||||
|
|
||||||
|
- name: render knot zone files
|
||||||
|
template:
|
||||||
|
src: var/lib/knot/master/zone.j2
|
||||||
|
dest: "{{ knot_zone_master_storage_path }}/{{ item.name }}.zone"
|
||||||
|
owner: knot
|
||||||
|
group: knot
|
||||||
|
mode: 0640
|
||||||
|
validate: /usr/bin/kzonecheck -v %s
|
||||||
|
when: "inventory_hostname in item.masters"
|
||||||
|
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
||||||
|
notify: reload knot
|
||||||
|
|
||||||
|
- name: render knot master config
|
||||||
|
template:
|
||||||
|
src: etc/knot/knot.conf.j2
|
||||||
|
dest: /etc/knot/knot.conf
|
||||||
|
owner: knot
|
||||||
|
group: knot
|
||||||
|
mode: 0640
|
||||||
|
vars:
|
||||||
|
zones: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
||||||
|
notify: reload knot
|
95
roles/knot/templates/etc/knot/knot.conf.j2
Normal file
95
roles/knot/templates/etc/knot/knot.conf.j2
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
# See knot.conf(5) or refer to the server documentation.
|
||||||
|
|
||||||
|
server:
|
||||||
|
rundir: "{{ knot_server_rundir }}"
|
||||||
|
user: "{{ knot_server_user }}:{{ knot_server_group }}"
|
||||||
|
{% for addr in knot_server_listen %}
|
||||||
|
listen: "{{ addr }}"
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
log:
|
||||||
|
{% for target in knot_log_targets %}
|
||||||
|
- target: "{{ target.target }}"
|
||||||
|
any: "{{ target.level }}"
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# ALL KNOWN REMOTES
|
||||||
|
#
|
||||||
|
|
||||||
|
remote:
|
||||||
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
||||||
|
- id: remote-{{ remote }}
|
||||||
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||||
|
address: "{{ address }}"
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
acl:
|
||||||
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
||||||
|
- id: acl-xfr-{{ remote }}
|
||||||
|
action: transfer
|
||||||
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||||
|
address: "{{ address }}"
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
#
|
||||||
|
# MASTER ZONES
|
||||||
|
#
|
||||||
|
|
||||||
|
{% for zone in zones %}
|
||||||
|
{% if inventory_hostname in zone.masters %}
|
||||||
|
|
||||||
|
policy:
|
||||||
|
- id: dnssec-{{ zone.name }}
|
||||||
|
algorithm: {{ knot_dnssec_policy_algorithm }}
|
||||||
|
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
||||||
|
ksk-size: {{ knot_dnssec_policy_ksk_size }}
|
||||||
|
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
||||||
|
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
||||||
|
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
|
||||||
|
|
||||||
|
zone:
|
||||||
|
- domain: {{ zone.name }}.
|
||||||
|
storage: {{ knot_zone_master_storage_path }}
|
||||||
|
semantic-checks: {{ knot_zone_semantic_checks }}
|
||||||
|
serial-policy: unixtime
|
||||||
|
zonefile-load: difference
|
||||||
|
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
||||||
|
dnssec-policy: dnssec-{{ zone.name }}
|
||||||
|
{% for replica in zone.replicas %}
|
||||||
|
acl: acl-xfr-{{ replica }}
|
||||||
|
{% endfor %}
|
||||||
|
{% for replica in zone.replicas %}
|
||||||
|
notify: remote-{{ replica }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# REPLICA ZONES
|
||||||
|
#
|
||||||
|
|
||||||
|
{% for zone in zones %}
|
||||||
|
{% if inventory_hostname in zone.replicas %}
|
||||||
|
|
||||||
|
zone:
|
||||||
|
- domain: {{ zone.name }}.
|
||||||
|
storage: {{ knot_zone_replica_storage_path }}
|
||||||
|
serial-policy: unixtime
|
||||||
|
{% for master in zone.masters %}
|
||||||
|
acl: acl-xfr-{{ master }}
|
||||||
|
{% endfor %}
|
||||||
|
{% for master in zone.masters %}
|
||||||
|
master: remote-{{ master }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
|
@ -1,64 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: render knot master config
|
|
||||||
template:
|
|
||||||
src: etc/knot/knot.conf.j2
|
|
||||||
dest: /etc/knot/knot.conf
|
|
||||||
owner: knot
|
|
||||||
group: knot
|
|
||||||
mode: 0640
|
|
||||||
notify: reload knot
|
|
||||||
|
|
||||||
- name: create knot config directory
|
|
||||||
file:
|
|
||||||
path: /etc/knot/knot.d
|
|
||||||
state: directory
|
|
||||||
owner: knot
|
|
||||||
group: knot
|
|
||||||
mode: 0750
|
|
||||||
|
|
||||||
- name: create knot zone directory
|
|
||||||
file:
|
|
||||||
path: /var/lib/knot/master
|
|
||||||
state: directory
|
|
||||||
owner: knot
|
|
||||||
group: knot
|
|
||||||
mode: 0750
|
|
||||||
|
|
||||||
- name: render knot zone files
|
|
||||||
template:
|
|
||||||
src: var/lib/knot/master/zone.j2
|
|
||||||
dest: "/var/lib/knot/master/{{ zone.name }}zone"
|
|
||||||
owner: knot
|
|
||||||
group: knot
|
|
||||||
mode: 0640
|
|
||||||
validate: /usr/bin/kzonecheck -v %s
|
|
||||||
vars:
|
|
||||||
zone: "{{ hostvars[inventory_hostname]['knot_zone_' + item.1] }}"
|
|
||||||
loop: "{{ knot_zone_groups | subelements('zones') }}"
|
|
||||||
notify: reload knot
|
|
||||||
|
|
||||||
- name: render knot server config
|
|
||||||
template:
|
|
||||||
src: etc/knot/knot.d/00-server.conf.j2
|
|
||||||
dest: /etc/knot/knot.d/00-server.conf
|
|
||||||
owner: knot
|
|
||||||
group: knot
|
|
||||||
mode: 0640
|
|
||||||
notify: reload knot
|
|
||||||
|
|
||||||
- name: render knot master configs
|
|
||||||
template:
|
|
||||||
src: etc/knot/knot.d/10-master.conf.j2
|
|
||||||
dest: "/etc/knot/knot.d/{{ 10+i }}-master-{{ item.name }}.conf"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
vars:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
replicas: "{{ item.replicas }}"
|
|
||||||
zones: "{{ item.zones }}"
|
|
||||||
loop: "{{ knot_zone_groups }}"
|
|
||||||
loop_control:
|
|
||||||
index_var: i
|
|
||||||
notify: reload knot
|
|
|
@ -1,5 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
# See knot.conf(5) or refer to the server documentation.
|
|
||||||
|
|
||||||
include: /etc/knot/knot.d/*.conf
|
|
|
@ -1,14 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
server:
|
|
||||||
rundir: "{{ knot_server_rundir }}"
|
|
||||||
user: "{{ knot_server_user }}:{{ knot_server_group }}"
|
|
||||||
{% for addr in knot_server_listen %}
|
|
||||||
listen: "{{ addr }}"
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
log:
|
|
||||||
{% for target in knot_log_targets %}
|
|
||||||
- target: "{{ target.target }}"
|
|
||||||
any: "{{ target.level }}"
|
|
||||||
{% endfor %}
|
|
|
@ -1,46 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Master configuration for zones in group {{ name }}
|
|
||||||
#
|
|
||||||
|
|
||||||
acl:
|
|
||||||
- id: xfr-{{ name }}
|
|
||||||
action: transfer
|
|
||||||
{% for replica in replicas %}
|
|
||||||
address: "{{ replica }}"
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
remote:
|
|
||||||
{% for replica in replicas %}
|
|
||||||
- id: remote-{{ name }}-{{ loop.index0 }}
|
|
||||||
address: "{{ replica }}"
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
policy:
|
|
||||||
- id: dnssec-{{ name }}
|
|
||||||
algorithm: {{ knot_dnssec_policy_algorithm }}
|
|
||||||
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
|
||||||
ksk-size: {{ knot_dnssec_policy_ksk_size }}
|
|
||||||
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
|
||||||
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
|
||||||
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
|
|
||||||
|
|
||||||
template:
|
|
||||||
- id: {{ name }}
|
|
||||||
storage: {{ knot_zone_storage_path }}
|
|
||||||
semantic-checks: {{ knot_zone_semantic_checks }}
|
|
||||||
serial-policy: unixtime
|
|
||||||
zonefile-load: difference
|
|
||||||
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
|
||||||
dnssec-policy: dnssec-{{ name }}
|
|
||||||
acl: xfr-{{ name }}
|
|
||||||
{% for replica in replicas %}
|
|
||||||
notify: remote-{{ name }}-{{ loop.index0 }}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
zone:
|
|
||||||
{% for zone in zones %}
|
|
||||||
- domain: {{ zone }}.
|
|
||||||
template: {{ name }}
|
|
||||||
{% endfor %}
|
|
|
@ -1,14 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
nsd_server_hide_version: yes
|
|
||||||
nsd_server_verbosity: 1
|
|
||||||
nsd_server_database: "" # disable database
|
|
||||||
nsd_server_zonefile_write: 300
|
|
||||||
nsd_server_listen:
|
|
||||||
- "::@53"
|
|
||||||
- "0.0.0.0@53"
|
|
||||||
nsd_server_minimal_responses: yes
|
|
||||||
nsd_server_refuse_any: yes
|
|
||||||
|
|
||||||
nsd_remote_control_enable: yes
|
|
||||||
nsd_remote_control_interface: /var/run/nsd.sock
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: reload nsd
|
|
||||||
service:
|
|
||||||
name: nsd
|
|
||||||
state: reloaded
|
|
|
@ -1,35 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: render nsd main config
|
|
||||||
template:
|
|
||||||
src: etc/nsd/nsd.conf.j2
|
|
||||||
dest: /etc/nsd/nsd.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
notify: reload nsd
|
|
||||||
|
|
||||||
- name: render nsd server config
|
|
||||||
template:
|
|
||||||
src: etc/nsd/nsd.conf.d/00-server.conf.j2
|
|
||||||
dest: /etc/nsd/nsd.conf.d/00-server.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
notify: reload nsd
|
|
||||||
|
|
||||||
- name: render nsd replica configs
|
|
||||||
template:
|
|
||||||
src: etc/nsd/nsd.conf.d/10-replica.conf.j2
|
|
||||||
dest: "/etc/nsd/nsd.conf.d/{{ 10+i }}-replica-{{ item.primary }}.conf"
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
vars:
|
|
||||||
primary: "{{ item.primary }}"
|
|
||||||
masters: "{{ item.masters }}"
|
|
||||||
zones: "{{ item.zones }}"
|
|
||||||
loop: "{{ nsd_zone_groups }}"
|
|
||||||
loop_control:
|
|
||||||
index_var: i
|
|
||||||
notify: reload nsd
|
|
|
@ -1,12 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: install nsd
|
|
||||||
package:
|
|
||||||
name: nsd
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: start and enable nsd
|
|
||||||
service:
|
|
||||||
name: nsd
|
|
||||||
state: started
|
|
||||||
enabled: yes
|
|
|
@ -1,13 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: install nsd
|
|
||||||
import_tasks: install.yml
|
|
||||||
tags:
|
|
||||||
- "role::nameserver:replica"
|
|
||||||
- "role::nameserver:replica:install"
|
|
||||||
|
|
||||||
- name: configure nsd
|
|
||||||
import_tasks: config.yml
|
|
||||||
tags:
|
|
||||||
- "role::nameserver:replica"
|
|
||||||
- "role::nameserver:replica:config"
|
|
|
@ -1,18 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
server:
|
|
||||||
hide-version: {{ nsd_server_hide_version | ternary('yes', 'no') }}
|
|
||||||
verbosity: {{ nsd_server_verbosity }}
|
|
||||||
database: "{{ nsd_server_database }}"
|
|
||||||
zonefiles-write: {{ nsd_server_zonefile_write }}
|
|
||||||
|
|
||||||
{% for addr in nsd_server_listen %}
|
|
||||||
ip-address: "{{ addr }}"
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
minimal-responses: {{ nsd_server_minimal_responses | ternary('yes', 'no') }}
|
|
||||||
refuse-any: {{ nsd_server_refuse_any | ternary('yes', 'no') }}
|
|
||||||
|
|
||||||
remote-control:
|
|
||||||
control-enable: {{ nsd_remote_control_enable | ternary('yes', 'no') }}
|
|
||||||
control-interface: {{ nsd_remote_control_interface }}
|
|
|
@ -1,21 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
#
|
|
||||||
# Replica for zones of primary {{ primary }}
|
|
||||||
#
|
|
||||||
|
|
||||||
pattern:
|
|
||||||
name: xfr-{{ primary }}
|
|
||||||
zonefile: "/var/lib/nsd/replica/%szone"
|
|
||||||
{% for addr in masters %}
|
|
||||||
allow-notify: {{ addr }} NOKEY
|
|
||||||
{% endfor %}
|
|
||||||
{% for addr in masters %}
|
|
||||||
request-xfr: {{ addr }} NOKEY
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
{% for zone in zones %}
|
|
||||||
zone:
|
|
||||||
name: {{ zone }}.
|
|
||||||
include-pattern: "xfr-{{ primary }}"
|
|
||||||
{% endfor %}
|
|
|
@ -1,13 +0,0 @@
|
||||||
{{ ansible_managed | comment }}
|
|
||||||
|
|
||||||
# NSD configuration file for Debian.
|
|
||||||
#
|
|
||||||
# See the nsd.conf(5) man page.
|
|
||||||
#
|
|
||||||
# See /usr/share/doc/nsd/examples/nsd.conf for a commented
|
|
||||||
# reference config file.
|
|
||||||
#
|
|
||||||
# The following line includes additional configuration files from the
|
|
||||||
# /etc/nsd/nsd.conf.d directory.
|
|
||||||
|
|
||||||
include: "/etc/nsd/nsd.conf.d/*.conf"
|
|
Loading…
Reference in a new issue