knot monoculture

This commit is contained in:
s3lph 2021-01-16 02:00:19 +01:00
parent 3e70575d78
commit f880e43321
20 changed files with 133 additions and 264 deletions

View file

@ -8,7 +8,7 @@ namespace: s3lph
name: nameserver
# The version of the collection. Must be compatible with semantic versioning
version: 1.0.0
version: 0.2
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
readme: README.md
@ -37,7 +37,6 @@ license_file: ''
tags:
- dns
- knot
- nsd
- nameserver
- dnssec

View file

@ -11,7 +11,8 @@ knot_log_targets:
- target: syslog
level: info
knot_zone_storage_path: /var/lib/knot/master
knot_zone_master_storage_path: /var/lib/knot/master
knot_zone_replica_storage_path: /var/lib/knot/replica
knot_zone_semantic_checks: 'on'
knot_zone_dnssec_signing: 'on'

View file

@ -0,0 +1,35 @@
---
- name: create knot zone directories
file:
path: "{{ item }}"
state: directory
owner: knot
group: knot
mode: 0750
loop:
- "{{ knot_zone_master_storage_path }}"
- "{{ knot_zone_replica_storage_path }}"
- name: render knot zone files
template:
src: var/lib/knot/master/zone.j2
dest: "{{ knot_zone_master_storage_path }}/{{ item.name }}.zone"
owner: knot
group: knot
mode: 0640
validate: /usr/bin/kzonecheck -v %s
when: "inventory_hostname in item.masters"
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
notify: reload knot
- name: render knot master config
template:
src: etc/knot/knot.conf.j2
dest: /etc/knot/knot.conf
owner: knot
group: knot
mode: 0640
vars:
zones: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
notify: reload knot

View file

@ -0,0 +1,95 @@
{{ ansible_managed | comment }}
# See knot.conf(5) or refer to the server documentation.
server:
rundir: "{{ knot_server_rundir }}"
user: "{{ knot_server_user }}:{{ knot_server_group }}"
{% for addr in knot_server_listen %}
listen: "{{ addr }}"
{% endfor %}
log:
{% for target in knot_log_targets %}
- target: "{{ target.target }}"
any: "{{ target.level }}"
{% endfor %}
#
# ALL KNOWN REMOTES
#
remote:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
- id: remote-{{ remote }}
{% for address in hostvars[remote].knot_dns_addresses %}
address: "{{ address }}"
{% endfor %}
{% endfor %}
acl:
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
- id: acl-xfr-{{ remote }}
action: transfer
{% for address in hostvars[remote].knot_dns_addresses %}
address: "{{ address }}"
{% endfor %}
{% endfor %}
#
# MASTER ZONES
#
{% for zone in zones %}
{% if inventory_hostname in zone.masters %}
policy:
- id: dnssec-{{ zone.name }}
algorithm: {{ knot_dnssec_policy_algorithm }}
nsec3: {{ knot_dnssec_policy_nsec3 }}
ksk-size: {{ knot_dnssec_policy_ksk_size }}
zsk-size: {{ knot_dnssec_policy_zsk_size }}
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
zone:
- domain: {{ zone.name }}.
storage: {{ knot_zone_master_storage_path }}
semantic-checks: {{ knot_zone_semantic_checks }}
serial-policy: unixtime
zonefile-load: difference
dnssec-signing: {{ knot_zone_dnssec_signing }}
dnssec-policy: dnssec-{{ zone.name }}
{% for replica in zone.replicas %}
acl: acl-xfr-{{ replica }}
{% endfor %}
{% for replica in zone.replicas %}
notify: remote-{{ replica }}
{% endfor %}
{% endif %}
{% endfor %}
#
# REPLICA ZONES
#
{% for zone in zones %}
{% if inventory_hostname in zone.replicas %}
zone:
- domain: {{ zone.name }}.
storage: {{ knot_zone_replica_storage_path }}
serial-policy: unixtime
{% for master in zone.masters %}
acl: acl-xfr-{{ master }}
{% endfor %}
{% for master in zone.masters %}
master: remote-{{ master }}
{% endfor %}
{% endif %}
{% endfor %}

View file

@ -1,64 +0,0 @@
---
- name: render knot master config
template:
src: etc/knot/knot.conf.j2
dest: /etc/knot/knot.conf
owner: knot
group: knot
mode: 0640
notify: reload knot
- name: create knot config directory
file:
path: /etc/knot/knot.d
state: directory
owner: knot
group: knot
mode: 0750
- name: create knot zone directory
file:
path: /var/lib/knot/master
state: directory
owner: knot
group: knot
mode: 0750
- name: render knot zone files
template:
src: var/lib/knot/master/zone.j2
dest: "/var/lib/knot/master/{{ zone.name }}zone"
owner: knot
group: knot
mode: 0640
validate: /usr/bin/kzonecheck -v %s
vars:
zone: "{{ hostvars[inventory_hostname]['knot_zone_' + item.1] }}"
loop: "{{ knot_zone_groups | subelements('zones') }}"
notify: reload knot
- name: render knot server config
template:
src: etc/knot/knot.d/00-server.conf.j2
dest: /etc/knot/knot.d/00-server.conf
owner: knot
group: knot
mode: 0640
notify: reload knot
- name: render knot master configs
template:
src: etc/knot/knot.d/10-master.conf.j2
dest: "/etc/knot/knot.d/{{ 10+i }}-master-{{ item.name }}.conf"
owner: root
group: root
mode: 0644
vars:
name: "{{ item.name }}"
replicas: "{{ item.replicas }}"
zones: "{{ item.zones }}"
loop: "{{ knot_zone_groups }}"
loop_control:
index_var: i
notify: reload knot

View file

@ -1,5 +0,0 @@
{{ ansible_managed | comment }}
# See knot.conf(5) or refer to the server documentation.
include: /etc/knot/knot.d/*.conf

View file

@ -1,14 +0,0 @@
{{ ansible_managed | comment }}
server:
rundir: "{{ knot_server_rundir }}"
user: "{{ knot_server_user }}:{{ knot_server_group }}"
{% for addr in knot_server_listen %}
listen: "{{ addr }}"
{% endfor %}
log:
{% for target in knot_log_targets %}
- target: "{{ target.target }}"
any: "{{ target.level }}"
{% endfor %}

View file

@ -1,46 +0,0 @@
{{ ansible_managed | comment }}
#
# Master configuration for zones in group {{ name }}
#
acl:
- id: xfr-{{ name }}
action: transfer
{% for replica in replicas %}
address: "{{ replica }}"
{% endfor %}
remote:
{% for replica in replicas %}
- id: remote-{{ name }}-{{ loop.index0 }}
address: "{{ replica }}"
{% endfor %}
policy:
- id: dnssec-{{ name }}
algorithm: {{ knot_dnssec_policy_algorithm }}
nsec3: {{ knot_dnssec_policy_nsec3 }}
ksk-size: {{ knot_dnssec_policy_ksk_size }}
zsk-size: {{ knot_dnssec_policy_zsk_size }}
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
template:
- id: {{ name }}
storage: {{ knot_zone_storage_path }}
semantic-checks: {{ knot_zone_semantic_checks }}
serial-policy: unixtime
zonefile-load: difference
dnssec-signing: {{ knot_zone_dnssec_signing }}
dnssec-policy: dnssec-{{ name }}
acl: xfr-{{ name }}
{% for replica in replicas %}
notify: remote-{{ name }}-{{ loop.index0 }}
{% endfor %}
zone:
{% for zone in zones %}
- domain: {{ zone }}.
template: {{ name }}
{% endfor %}

View file

@ -1,14 +0,0 @@
---
nsd_server_hide_version: yes
nsd_server_verbosity: 1
nsd_server_database: "" # disable database
nsd_server_zonefile_write: 300
nsd_server_listen:
- "::@53"
- "0.0.0.0@53"
nsd_server_minimal_responses: yes
nsd_server_refuse_any: yes
nsd_remote_control_enable: yes
nsd_remote_control_interface: /var/run/nsd.sock

View file

@ -1,6 +0,0 @@
---
- name: reload nsd
service:
name: nsd
state: reloaded

View file

@ -1,35 +0,0 @@
---
- name: render nsd main config
template:
src: etc/nsd/nsd.conf.j2
dest: /etc/nsd/nsd.conf
owner: root
group: root
mode: 0644
notify: reload nsd
- name: render nsd server config
template:
src: etc/nsd/nsd.conf.d/00-server.conf.j2
dest: /etc/nsd/nsd.conf.d/00-server.conf
owner: root
group: root
mode: 0644
notify: reload nsd
- name: render nsd replica configs
template:
src: etc/nsd/nsd.conf.d/10-replica.conf.j2
dest: "/etc/nsd/nsd.conf.d/{{ 10+i }}-replica-{{ item.primary }}.conf"
owner: root
group: root
mode: 0644
vars:
primary: "{{ item.primary }}"
masters: "{{ item.masters }}"
zones: "{{ item.zones }}"
loop: "{{ nsd_zone_groups }}"
loop_control:
index_var: i
notify: reload nsd

View file

@ -1,12 +0,0 @@
---
- name: install nsd
package:
name: nsd
state: present
- name: start and enable nsd
service:
name: nsd
state: started
enabled: yes

View file

@ -1,13 +0,0 @@
---
- name: install nsd
import_tasks: install.yml
tags:
- "role::nameserver:replica"
- "role::nameserver:replica:install"
- name: configure nsd
import_tasks: config.yml
tags:
- "role::nameserver:replica"
- "role::nameserver:replica:config"

View file

@ -1,18 +0,0 @@
{{ ansible_managed | comment }}
server:
hide-version: {{ nsd_server_hide_version | ternary('yes', 'no') }}
verbosity: {{ nsd_server_verbosity }}
database: "{{ nsd_server_database }}"
zonefiles-write: {{ nsd_server_zonefile_write }}
{% for addr in nsd_server_listen %}
ip-address: "{{ addr }}"
{% endfor %}
minimal-responses: {{ nsd_server_minimal_responses | ternary('yes', 'no') }}
refuse-any: {{ nsd_server_refuse_any | ternary('yes', 'no') }}
remote-control:
control-enable: {{ nsd_remote_control_enable | ternary('yes', 'no') }}
control-interface: {{ nsd_remote_control_interface }}

View file

@ -1,21 +0,0 @@
{{ ansible_managed | comment }}
#
# Replica for zones of primary {{ primary }}
#
pattern:
name: xfr-{{ primary }}
zonefile: "/var/lib/nsd/replica/%szone"
{% for addr in masters %}
allow-notify: {{ addr }} NOKEY
{% endfor %}
{% for addr in masters %}
request-xfr: {{ addr }} NOKEY
{% endfor %}
{% for zone in zones %}
zone:
name: {{ zone }}.
include-pattern: "xfr-{{ primary }}"
{% endfor %}

View file

@ -1,13 +0,0 @@
{{ ansible_managed | comment }}
# NSD configuration file for Debian.
#
# See the nsd.conf(5) man page.
#
# See /usr/share/doc/nsd/examples/nsd.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/nsd/nsd.conf.d directory.
include: "/etc/nsd/nsd.conf.d/*.conf"