knot monoculture
This commit is contained in:
parent
3e70575d78
commit
f880e43321
20 changed files with 133 additions and 264 deletions
|
@ -8,7 +8,7 @@ namespace: s3lph
|
|||
name: nameserver
|
||||
|
||||
# The version of the collection. Must be compatible with semantic versioning
|
||||
version: 1.0.0
|
||||
version: 0.2
|
||||
|
||||
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
|
||||
readme: README.md
|
||||
|
@ -37,7 +37,6 @@ license_file: ''
|
|||
tags:
|
||||
- dns
|
||||
- knot
|
||||
- nsd
|
||||
- nameserver
|
||||
- dnssec
|
||||
|
||||
|
|
|
@ -11,7 +11,8 @@ knot_log_targets:
|
|||
- target: syslog
|
||||
level: info
|
||||
|
||||
knot_zone_storage_path: /var/lib/knot/master
|
||||
knot_zone_master_storage_path: /var/lib/knot/master
|
||||
knot_zone_replica_storage_path: /var/lib/knot/replica
|
||||
knot_zone_semantic_checks: 'on'
|
||||
knot_zone_dnssec_signing: 'on'
|
||||
|
35
roles/knot/tasks/config.yml
Normal file
35
roles/knot/tasks/config.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
|
||||
- name: create knot zone directories
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0750
|
||||
loop:
|
||||
- "{{ knot_zone_master_storage_path }}"
|
||||
- "{{ knot_zone_replica_storage_path }}"
|
||||
|
||||
- name: render knot zone files
|
||||
template:
|
||||
src: var/lib/knot/master/zone.j2
|
||||
dest: "{{ knot_zone_master_storage_path }}/{{ item.name }}.zone"
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0640
|
||||
validate: /usr/bin/kzonecheck -v %s
|
||||
when: "inventory_hostname in item.masters"
|
||||
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
||||
notify: reload knot
|
||||
|
||||
- name: render knot master config
|
||||
template:
|
||||
src: etc/knot/knot.conf.j2
|
||||
dest: /etc/knot/knot.conf
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0640
|
||||
vars:
|
||||
zones: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
||||
notify: reload knot
|
95
roles/knot/templates/etc/knot/knot.conf.j2
Normal file
95
roles/knot/templates/etc/knot/knot.conf.j2
Normal file
|
@ -0,0 +1,95 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# See knot.conf(5) or refer to the server documentation.
|
||||
|
||||
server:
|
||||
rundir: "{{ knot_server_rundir }}"
|
||||
user: "{{ knot_server_user }}:{{ knot_server_group }}"
|
||||
{% for addr in knot_server_listen %}
|
||||
listen: "{{ addr }}"
|
||||
{% endfor %}
|
||||
|
||||
log:
|
||||
{% for target in knot_log_targets %}
|
||||
- target: "{{ target.target }}"
|
||||
any: "{{ target.level }}"
|
||||
{% endfor %}
|
||||
|
||||
|
||||
#
|
||||
# ALL KNOWN REMOTES
|
||||
#
|
||||
|
||||
remote:
|
||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
||||
- id: remote-{{ remote }}
|
||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||
address: "{{ address }}"
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
acl:
|
||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
||||
- id: acl-xfr-{{ remote }}
|
||||
action: transfer
|
||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||
address: "{{ address }}"
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
|
||||
#
|
||||
# MASTER ZONES
|
||||
#
|
||||
|
||||
{% for zone in zones %}
|
||||
{% if inventory_hostname in zone.masters %}
|
||||
|
||||
policy:
|
||||
- id: dnssec-{{ zone.name }}
|
||||
algorithm: {{ knot_dnssec_policy_algorithm }}
|
||||
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
||||
ksk-size: {{ knot_dnssec_policy_ksk_size }}
|
||||
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
||||
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
||||
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
|
||||
|
||||
zone:
|
||||
- domain: {{ zone.name }}.
|
||||
storage: {{ knot_zone_master_storage_path }}
|
||||
semantic-checks: {{ knot_zone_semantic_checks }}
|
||||
serial-policy: unixtime
|
||||
zonefile-load: difference
|
||||
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
||||
dnssec-policy: dnssec-{{ zone.name }}
|
||||
{% for replica in zone.replicas %}
|
||||
acl: acl-xfr-{{ replica }}
|
||||
{% endfor %}
|
||||
{% for replica in zone.replicas %}
|
||||
notify: remote-{{ replica }}
|
||||
{% endfor %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
|
||||
#
|
||||
# REPLICA ZONES
|
||||
#
|
||||
|
||||
{% for zone in zones %}
|
||||
{% if inventory_hostname in zone.replicas %}
|
||||
|
||||
zone:
|
||||
- domain: {{ zone.name }}.
|
||||
storage: {{ knot_zone_replica_storage_path }}
|
||||
serial-policy: unixtime
|
||||
{% for master in zone.masters %}
|
||||
acl: acl-xfr-{{ master }}
|
||||
{% endfor %}
|
||||
{% for master in zone.masters %}
|
||||
master: remote-{{ master }}
|
||||
{% endfor %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
---
|
||||
|
||||
- name: render knot master config
|
||||
template:
|
||||
src: etc/knot/knot.conf.j2
|
||||
dest: /etc/knot/knot.conf
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0640
|
||||
notify: reload knot
|
||||
|
||||
- name: create knot config directory
|
||||
file:
|
||||
path: /etc/knot/knot.d
|
||||
state: directory
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0750
|
||||
|
||||
- name: create knot zone directory
|
||||
file:
|
||||
path: /var/lib/knot/master
|
||||
state: directory
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0750
|
||||
|
||||
- name: render knot zone files
|
||||
template:
|
||||
src: var/lib/knot/master/zone.j2
|
||||
dest: "/var/lib/knot/master/{{ zone.name }}zone"
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0640
|
||||
validate: /usr/bin/kzonecheck -v %s
|
||||
vars:
|
||||
zone: "{{ hostvars[inventory_hostname]['knot_zone_' + item.1] }}"
|
||||
loop: "{{ knot_zone_groups | subelements('zones') }}"
|
||||
notify: reload knot
|
||||
|
||||
- name: render knot server config
|
||||
template:
|
||||
src: etc/knot/knot.d/00-server.conf.j2
|
||||
dest: /etc/knot/knot.d/00-server.conf
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: 0640
|
||||
notify: reload knot
|
||||
|
||||
- name: render knot master configs
|
||||
template:
|
||||
src: etc/knot/knot.d/10-master.conf.j2
|
||||
dest: "/etc/knot/knot.d/{{ 10+i }}-master-{{ item.name }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
vars:
|
||||
name: "{{ item.name }}"
|
||||
replicas: "{{ item.replicas }}"
|
||||
zones: "{{ item.zones }}"
|
||||
loop: "{{ knot_zone_groups }}"
|
||||
loop_control:
|
||||
index_var: i
|
||||
notify: reload knot
|
|
@ -1,5 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# See knot.conf(5) or refer to the server documentation.
|
||||
|
||||
include: /etc/knot/knot.d/*.conf
|
|
@ -1,14 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server:
|
||||
rundir: "{{ knot_server_rundir }}"
|
||||
user: "{{ knot_server_user }}:{{ knot_server_group }}"
|
||||
{% for addr in knot_server_listen %}
|
||||
listen: "{{ addr }}"
|
||||
{% endfor %}
|
||||
|
||||
log:
|
||||
{% for target in knot_log_targets %}
|
||||
- target: "{{ target.target }}"
|
||||
any: "{{ target.level }}"
|
||||
{% endfor %}
|
|
@ -1,46 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
#
|
||||
# Master configuration for zones in group {{ name }}
|
||||
#
|
||||
|
||||
acl:
|
||||
- id: xfr-{{ name }}
|
||||
action: transfer
|
||||
{% for replica in replicas %}
|
||||
address: "{{ replica }}"
|
||||
{% endfor %}
|
||||
|
||||
remote:
|
||||
{% for replica in replicas %}
|
||||
- id: remote-{{ name }}-{{ loop.index0 }}
|
||||
address: "{{ replica }}"
|
||||
{% endfor %}
|
||||
|
||||
policy:
|
||||
- id: dnssec-{{ name }}
|
||||
algorithm: {{ knot_dnssec_policy_algorithm }}
|
||||
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
||||
ksk-size: {{ knot_dnssec_policy_ksk_size }}
|
||||
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
||||
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
||||
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
|
||||
|
||||
template:
|
||||
- id: {{ name }}
|
||||
storage: {{ knot_zone_storage_path }}
|
||||
semantic-checks: {{ knot_zone_semantic_checks }}
|
||||
serial-policy: unixtime
|
||||
zonefile-load: difference
|
||||
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
||||
dnssec-policy: dnssec-{{ name }}
|
||||
acl: xfr-{{ name }}
|
||||
{% for replica in replicas %}
|
||||
notify: remote-{{ name }}-{{ loop.index0 }}
|
||||
{% endfor %}
|
||||
|
||||
zone:
|
||||
{% for zone in zones %}
|
||||
- domain: {{ zone }}.
|
||||
template: {{ name }}
|
||||
{% endfor %}
|
|
@ -1,14 +0,0 @@
|
|||
---
|
||||
|
||||
nsd_server_hide_version: yes
|
||||
nsd_server_verbosity: 1
|
||||
nsd_server_database: "" # disable database
|
||||
nsd_server_zonefile_write: 300
|
||||
nsd_server_listen:
|
||||
- "::@53"
|
||||
- "0.0.0.0@53"
|
||||
nsd_server_minimal_responses: yes
|
||||
nsd_server_refuse_any: yes
|
||||
|
||||
nsd_remote_control_enable: yes
|
||||
nsd_remote_control_interface: /var/run/nsd.sock
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
|
||||
- name: reload nsd
|
||||
service:
|
||||
name: nsd
|
||||
state: reloaded
|
|
@ -1,35 +0,0 @@
|
|||
---
|
||||
|
||||
- name: render nsd main config
|
||||
template:
|
||||
src: etc/nsd/nsd.conf.j2
|
||||
dest: /etc/nsd/nsd.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload nsd
|
||||
|
||||
- name: render nsd server config
|
||||
template:
|
||||
src: etc/nsd/nsd.conf.d/00-server.conf.j2
|
||||
dest: /etc/nsd/nsd.conf.d/00-server.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: reload nsd
|
||||
|
||||
- name: render nsd replica configs
|
||||
template:
|
||||
src: etc/nsd/nsd.conf.d/10-replica.conf.j2
|
||||
dest: "/etc/nsd/nsd.conf.d/{{ 10+i }}-replica-{{ item.primary }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
vars:
|
||||
primary: "{{ item.primary }}"
|
||||
masters: "{{ item.masters }}"
|
||||
zones: "{{ item.zones }}"
|
||||
loop: "{{ nsd_zone_groups }}"
|
||||
loop_control:
|
||||
index_var: i
|
||||
notify: reload nsd
|
|
@ -1,12 +0,0 @@
|
|||
---
|
||||
|
||||
- name: install nsd
|
||||
package:
|
||||
name: nsd
|
||||
state: present
|
||||
|
||||
- name: start and enable nsd
|
||||
service:
|
||||
name: nsd
|
||||
state: started
|
||||
enabled: yes
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
|
||||
- name: install nsd
|
||||
import_tasks: install.yml
|
||||
tags:
|
||||
- "role::nameserver:replica"
|
||||
- "role::nameserver:replica:install"
|
||||
|
||||
- name: configure nsd
|
||||
import_tasks: config.yml
|
||||
tags:
|
||||
- "role::nameserver:replica"
|
||||
- "role::nameserver:replica:config"
|
|
@ -1,18 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
server:
|
||||
hide-version: {{ nsd_server_hide_version | ternary('yes', 'no') }}
|
||||
verbosity: {{ nsd_server_verbosity }}
|
||||
database: "{{ nsd_server_database }}"
|
||||
zonefiles-write: {{ nsd_server_zonefile_write }}
|
||||
|
||||
{% for addr in nsd_server_listen %}
|
||||
ip-address: "{{ addr }}"
|
||||
{% endfor %}
|
||||
|
||||
minimal-responses: {{ nsd_server_minimal_responses | ternary('yes', 'no') }}
|
||||
refuse-any: {{ nsd_server_refuse_any | ternary('yes', 'no') }}
|
||||
|
||||
remote-control:
|
||||
control-enable: {{ nsd_remote_control_enable | ternary('yes', 'no') }}
|
||||
control-interface: {{ nsd_remote_control_interface }}
|
|
@ -1,21 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
#
|
||||
# Replica for zones of primary {{ primary }}
|
||||
#
|
||||
|
||||
pattern:
|
||||
name: xfr-{{ primary }}
|
||||
zonefile: "/var/lib/nsd/replica/%szone"
|
||||
{% for addr in masters %}
|
||||
allow-notify: {{ addr }} NOKEY
|
||||
{% endfor %}
|
||||
{% for addr in masters %}
|
||||
request-xfr: {{ addr }} NOKEY
|
||||
{% endfor %}
|
||||
|
||||
{% for zone in zones %}
|
||||
zone:
|
||||
name: {{ zone }}.
|
||||
include-pattern: "xfr-{{ primary }}"
|
||||
{% endfor %}
|
|
@ -1,13 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
# NSD configuration file for Debian.
|
||||
#
|
||||
# See the nsd.conf(5) man page.
|
||||
#
|
||||
# See /usr/share/doc/nsd/examples/nsd.conf for a commented
|
||||
# reference config file.
|
||||
#
|
||||
# The following line includes additional configuration files from the
|
||||
# /etc/nsd/nsd.conf.d directory.
|
||||
|
||||
include: "/etc/nsd/nsd.conf.d/*.conf"
|
Loading…
Reference in a new issue