Compare commits
No commits in common. "main" and "master" have entirely different histories.
23 changed files with 114 additions and 642 deletions
|
@ -1,8 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
skip_list:
|
|
||||||
- meta-runtime[unsupported-version]
|
|
||||||
- galaxy[no-changelog]
|
|
||||||
- galaxy[version-incorrect]
|
|
||||||
- name[casing]
|
|
||||||
- var-naming[no-role-prefix]
|
|
|
@ -1,29 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
name: Ansible Galaxy
|
|
||||||
|
|
||||||
on: # noqa yaml[truthy]
|
|
||||||
push:
|
|
||||||
tags:
|
|
||||||
- 'v*'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
deploy:
|
|
||||||
runs-on: docker
|
|
||||||
steps:
|
|
||||||
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Set version in galaxy.yml
|
|
||||||
run: |
|
|
||||||
VERSION=${GITHUB_REF#refs/tags/v}
|
|
||||||
sed -re "s/^version:.*$/version: ${VERSION}/" -i galaxy.yml
|
|
||||||
|
|
||||||
- name: Upload collection to Ansible Galaxy
|
|
||||||
env:
|
|
||||||
GALAXY_API_KEY: ${{ secrets.GALAXY_API_KEY }}
|
|
||||||
run: |
|
|
||||||
apt update; apt install --yes python3-pip
|
|
||||||
pip3 install --break-system-packages ansible
|
|
||||||
ansible-galaxy collection build
|
|
||||||
ansible-galaxy collection publish --api-key=${GALAXY_API_KEY} s3lph-nameserver*tar.gz
|
|
|
@ -1,17 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
name: Ansible Lint
|
|
||||||
on: [push, pull_request] # noqa yaml[truthy]
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build:
|
|
||||||
runs-on: docker
|
|
||||||
|
|
||||||
steps:
|
|
||||||
|
|
||||||
- uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- run: |
|
|
||||||
apt update; apt install --yes python3-pip
|
|
||||||
pip3 install --break-system-packages ansible-lint
|
|
||||||
ansible-lint
|
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1 +0,0 @@
|
||||||
s3lph-nameserver*.tar.gz
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
# Replace example_org/example.org with your zone name
|
# Replace example.org with your zone name
|
||||||
knot_zone_example_org:
|
knot_zone_example.org:
|
||||||
|
|
||||||
masters:
|
masters:
|
||||||
- ns1.example.org
|
- ns1.example.org
|
||||||
|
@ -10,13 +10,9 @@ knot_zone_example_org:
|
||||||
- ns3.example.org
|
- ns3.example.org
|
||||||
updaters:
|
updaters:
|
||||||
- foo.example.org
|
- foo.example.org
|
||||||
parents:
|
|
||||||
- a.gtld-servers.net
|
|
||||||
|
|
||||||
# Replace example.org. with your zone name
|
# Replace example.org. with your zone name
|
||||||
name: example.org.
|
name: example.org.
|
||||||
# Enable automatic KSK rollover once a year
|
|
||||||
ksk_lifetime: 365d
|
|
||||||
|
|
||||||
# Configure the SOA record to your liking
|
# Configure the SOA record to your liking
|
||||||
soa:
|
soa:
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
knot_dns_addresses:
|
|
||||||
- "2001:503:a83e::2:30"
|
|
||||||
- "192.5.6.30"
|
|
|
@ -19,3 +19,6 @@ knot_tsig_key:
|
||||||
secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
|
secret: pZxgYlANxwWscfrZz4sdi6mQUlWFWlhUO/y7wjSJ6qdcXXGTaAxtwlaHWYYhJfTN
|
||||||
|
|
||||||
# Change other host specific options here
|
# Change other host specific options here
|
||||||
|
|
||||||
|
# knot 2.7 in Debian stable doesn't know double-ds yet
|
||||||
|
knot_dnssec_policy_cds_publish: always
|
||||||
|
|
|
@ -18,3 +18,6 @@ knot_tsig_key:
|
||||||
algorithm: hmac-sha384
|
algorithm: hmac-sha384
|
||||||
secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
|
secret: poAeCzXByHLuuHjDfLceKmlUWFD+08p8QfV0ikXMBn0qTSJEXnBaDUupaG8aRS8M
|
||||||
# Change other host specific options here
|
# Change other host specific options here
|
||||||
|
|
||||||
|
# knot 2.7 in Debian stable doesn't know double-ds yet
|
||||||
|
knot_dnssec_policy_cds_publish: always
|
||||||
|
|
|
@ -11,6 +11,3 @@ ns2.example.org
|
||||||
ns3.example.org
|
ns3.example.org
|
||||||
# TSIG update clients, also dummy host only
|
# TSIG update clients, also dummy host only
|
||||||
foo.example.org
|
foo.example.org
|
||||||
# Parents nameservers to check for publication of DS records upon KSK
|
|
||||||
# rollover
|
|
||||||
a.gtld-servers.net
|
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Install and configure Knot
|
- hosts: nameserver
|
||||||
hosts: nameserver
|
|
||||||
roles:
|
roles:
|
||||||
- s3lph.nameserver.knot
|
- s3lph.nameserver.knot
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
---
|
---
|
||||||
collections:
|
collections:
|
||||||
- name: s3lph.nameserver
|
- name: https://gitlab.com/s3lph/ansible-collection-nameserver
|
||||||
|
type: git
|
||||||
|
version: master
|
||||||
|
|
22
galaxy.yml
22
galaxy.yml
|
@ -1,3 +1,4 @@
|
||||||
|
### REQUIRED
|
||||||
# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
|
# The namespace of the collection. This can be a company/brand/organization or product namespace under which all
|
||||||
# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
|
# content lives. May only contain alphanumeric lowercase characters and underscores. Namespaces cannot start with
|
||||||
# underscores or numbers and cannot contain consecutive underscores
|
# underscores or numbers and cannot contain consecutive underscores
|
||||||
|
@ -7,7 +8,7 @@ namespace: s3lph
|
||||||
name: nameserver
|
name: nameserver
|
||||||
|
|
||||||
# The version of the collection. Must be compatible with semantic versioning
|
# The version of the collection. Must be compatible with semantic versioning
|
||||||
version: "0.4.4"
|
version: 0.2
|
||||||
|
|
||||||
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
|
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
|
||||||
readme: README.md
|
readme: README.md
|
||||||
|
@ -15,7 +16,8 @@ readme: README.md
|
||||||
# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
|
# A list of the collection's content authors. Can be just the name or in the format 'Full Name <email> (url)
|
||||||
# @nicks:irc/im.site#channel'
|
# @nicks:irc/im.site#channel'
|
||||||
authors:
|
authors:
|
||||||
- s3lph <s3lph@kabelsalat.ch>
|
- s3lph <account-gitlab-ideynizv@kernelpanic.lol>
|
||||||
|
|
||||||
|
|
||||||
### OPTIONAL but strongly recommended
|
### OPTIONAL but strongly recommended
|
||||||
# A short summary description of the collection
|
# A short summary description of the collection
|
||||||
|
@ -24,12 +26,15 @@ description: Authoritative nameserver setup using knot
|
||||||
# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
|
# Either a single license or a list of licenses for content inside of a collection. Ansible Galaxy currently only
|
||||||
# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
|
# accepts L(SPDX,https://spdx.org/licenses/) licenses. This key is mutually exclusive with 'license_file'
|
||||||
license:
|
license:
|
||||||
- MIT
|
- MIT
|
||||||
|
|
||||||
|
# The path to the license file for the collection. This path is relative to the root of the collection. This key is
|
||||||
|
# mutually exclusive with 'license'
|
||||||
|
license_file: ''
|
||||||
|
|
||||||
# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
|
# A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
|
||||||
# requirements as 'namespace' and 'name'
|
# requirements as 'namespace' and 'name'
|
||||||
tags:
|
tags:
|
||||||
- application
|
|
||||||
- dns
|
- dns
|
||||||
- knot
|
- knot
|
||||||
- nameserver
|
- nameserver
|
||||||
|
@ -42,19 +47,20 @@ tags:
|
||||||
dependencies: {}
|
dependencies: {}
|
||||||
|
|
||||||
# The URL of the originating SCM repository
|
# The URL of the originating SCM repository
|
||||||
repository: https://git.kabelsalat.ch/s3lph/ansible-collection-nameserver
|
repository: https://gitlab.com/s3lph/ansible-collection-nameserver
|
||||||
|
|
||||||
# The URL to any online docs
|
# The URL to any online docs
|
||||||
documentation: https://git.kabelsalat.ch/s3lph/ansible-collection-nameserver
|
documentation: https://gitlab.com/s3lph/ansible-collection-nameserver
|
||||||
|
|
||||||
# The URL to the homepage of the collection/project
|
# The URL to the homepage of the collection/project
|
||||||
homepage: https://git.kabelsalat.ch/s3lph/ansible-collection-nameserver
|
homepage: https://gitlab.com/s3lph/ansible-collection-nameserver
|
||||||
|
|
||||||
# The URL to the collection issue tracker
|
# The URL to the collection issue tracker
|
||||||
issues: https://git.kabelsalat.ch/s3lph/ansible-collection-nameserver/issues
|
issues: https://gitlab.com/s3lph/ansible-collection-nameserver/-/issues
|
||||||
|
|
||||||
# A list of file glob-like patterns used to filter any files or directories that should not be included in the build
|
# A list of file glob-like patterns used to filter any files or directories that should not be included in the build
|
||||||
# artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This
|
# artifact. A pattern is matched from the relative path of the file or directory of the collection directory. This
|
||||||
# uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry',
|
# uses 'fnmatch' to match the files or directories. Some directories and files like 'galaxy.yml', '*.pyc', '*.retry',
|
||||||
# and '.git' are always filtered
|
# and '.git' are always filtered
|
||||||
build_ignore: []
|
build_ignore: []
|
||||||
|
|
||||||
|
|
|
@ -1,52 +0,0 @@
|
||||||
---
|
|
||||||
# Collections must specify a minimum required ansible version to upload
|
|
||||||
# to galaxy
|
|
||||||
requires_ansible: '>=2.15'
|
|
||||||
|
|
||||||
# Content that Ansible needs to load from another location or that has
|
|
||||||
# been deprecated/removed
|
|
||||||
# plugin_routing:
|
|
||||||
# action:
|
|
||||||
# redirected_plugin_name:
|
|
||||||
# redirect: ns.col.new_location
|
|
||||||
# deprecated_plugin_name:
|
|
||||||
# deprecation:
|
|
||||||
# removal_version: "4.0.0"
|
|
||||||
# warning_text: |
|
|
||||||
# See the porting guide on how to update your playbook to
|
|
||||||
# use ns.col.another_plugin instead.
|
|
||||||
# removed_plugin_name:
|
|
||||||
# tombstone:
|
|
||||||
# removal_version: "2.0.0"
|
|
||||||
# warning_text: |
|
|
||||||
# See the porting guide on how to update your playbook to
|
|
||||||
# use ns.col.another_plugin instead.
|
|
||||||
# become:
|
|
||||||
# cache:
|
|
||||||
# callback:
|
|
||||||
# cliconf:
|
|
||||||
# connection:
|
|
||||||
# doc_fragments:
|
|
||||||
# filter:
|
|
||||||
# httpapi:
|
|
||||||
# inventory:
|
|
||||||
# lookup:
|
|
||||||
# module_utils:
|
|
||||||
# modules:
|
|
||||||
# netconf:
|
|
||||||
# shell:
|
|
||||||
# strategy:
|
|
||||||
# terminal:
|
|
||||||
# test:
|
|
||||||
# vars:
|
|
||||||
|
|
||||||
# Python import statements that Ansible needs to load from another location
|
|
||||||
# import_redirection:
|
|
||||||
# ansible_collections.ns.col.plugins.module_utils.old_location:
|
|
||||||
# redirect: ansible_collections.ns.col.plugins.module_utils.new_location
|
|
||||||
|
|
||||||
# Groups of actions/modules that take a common set of options
|
|
||||||
# action_groups:
|
|
||||||
# group_name:
|
|
||||||
# - module1
|
|
||||||
# - module2
|
|
|
@ -1,5 +0,0 @@
|
||||||
# Role s3lph.nameserver.knot
|
|
||||||
|
|
||||||
Documentation in `meta/argument_specs.yml`.
|
|
||||||
|
|
||||||
A usage example can be found in the `docs` folder of the collection.
|
|
|
@ -1,15 +1,11 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
knot_repository_install: false
|
|
||||||
knot_repository_url: https://deb.knot-dns.cz/knot/
|
|
||||||
knot_repository_distribution: "{{ ansible_facts.distribution_release }}"
|
|
||||||
|
|
||||||
knot_server_rundir: /run/knot
|
knot_server_rundir: /run/knot
|
||||||
knot_server_user: knot
|
knot_server_user: knot
|
||||||
knot_server_group: knot
|
knot_server_group: knot
|
||||||
knot_server_identity: "{{ ansible_facts.hostname }}"
|
knot_server_identity: "{{ ansible_hostname }}"
|
||||||
knot_server_nsid: "{{ ansible_facts.hostname }}"
|
knot_server_nsid: "{{ ansible_hostname }}"
|
||||||
knot_server_version: "{{ ansible_facts.hostname }}"
|
knot_server_version: "{{ ansible_hostname }}"
|
||||||
knot_server_listen:
|
knot_server_listen:
|
||||||
- "::@53"
|
- "::@53"
|
||||||
- "0.0.0.0@53"
|
- "0.0.0.0@53"
|
||||||
|
@ -23,18 +19,9 @@ knot_zone_replica_storage_path: /var/lib/knot/replica
|
||||||
knot_zone_semantic_checks: 'on'
|
knot_zone_semantic_checks: 'on'
|
||||||
knot_zone_dnssec_signing: 'on'
|
knot_zone_dnssec_signing: 'on'
|
||||||
|
|
||||||
knot_dnssec_policy_algorithm: ed25519
|
knot_dnssec_policy_algorithm: ecdsap384sha384
|
||||||
knot_dnssec_policy_nsec3: 'on'
|
knot_dnssec_policy_nsec3: 'on'
|
||||||
# Use of a NSEC3 salt is discouraged by RFC 9276, section 3.1
|
knot_dnssec_policy_ksk_shared: 'on'
|
||||||
knot_dnssec_policy_nsec3_salt_length: 0
|
knot_dnssec_policy_ksk_size: 384
|
||||||
knot_dnssec_policy_ksk_shared: 'off'
|
knot_dnssec_policy_zsk_size: 384
|
||||||
knot_dnssec_policy_ksk_size: 256
|
knot_dnssec_policy_cds_publish: 'double-ds'
|
||||||
knot_dnssec_policy_zsk_size: 256
|
|
||||||
knot_dnssec_policy_zsk_lifetime: 30d
|
|
||||||
knot_dnssec_policy_ksk_lifetime: 0
|
|
||||||
# double-ds breaks algorithm rollovers: https://gitlab.nic.cz/knot/knot-dns/-/issues/804
|
|
||||||
knot_dnssec_policy_cds_publish: 'always'
|
|
||||||
knot_dnssec_policy_propagation_delay: 1h
|
|
||||||
|
|
||||||
knot_dnssec_submission_check_interval: 1h
|
|
||||||
knot_dnssec_submission_timeout: 0
|
|
||||||
|
|
|
@ -1,11 +1,6 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: reload knot
|
- name: reload knot
|
||||||
ansible.builtin.service:
|
service:
|
||||||
name: knot
|
name: knot
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
- name: restart knot
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: knot
|
|
||||||
state: restarted
|
|
||||||
|
|
|
@ -1,365 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
argument_specs:
|
|
||||||
|
|
||||||
main:
|
|
||||||
version_added: "0.0.1"
|
|
||||||
short_description: Install and configure Knot.
|
|
||||||
description:
|
|
||||||
- Install and configure the L(Knot,https://knot.readthedocs.io/en/latest/index.html) authoritative namesever.
|
|
||||||
- Zones are configured through YAML hostvars, rather than simply deploying zone files.
|
|
||||||
- "Execution of this role can be limited using the following tags:"
|
|
||||||
- "C(role::knot:install): Install knot from distribution packages or upstream repositories."
|
|
||||||
- "C(role::knot:config): Render the Knot configuration file."
|
|
||||||
- "C(role::knot:zones): Render the zone files for which Knot is authoritative."
|
|
||||||
- "C(role::knot): Apply all of the above."
|
|
||||||
author: s3lph
|
|
||||||
options:
|
|
||||||
knot_repository_install:
|
|
||||||
description:
|
|
||||||
- If true, install knot from the L(upstream repositories,https://deb.knot-dns.cz/knot/).
|
|
||||||
- If false, install knot from the default system repositories.
|
|
||||||
type: bool
|
|
||||||
default: false
|
|
||||||
knot_repository_url:
|
|
||||||
description: URL of the upstream repository.
|
|
||||||
type: str
|
|
||||||
default: https://deb.knot-dns.cz/knot/
|
|
||||||
knot_repository_distribution:
|
|
||||||
description:
|
|
||||||
- Suite name (distribution codename) of the upstream repository.
|
|
||||||
- Defaults to the value of C(ansible_facts.distribution_release).
|
|
||||||
type: str
|
|
||||||
|
|
||||||
knot_server_rundir:
|
|
||||||
description: Runtime directory where Knot should e.g. write its control socket to.
|
|
||||||
type: str
|
|
||||||
default: /run/knot
|
|
||||||
knot_server_user:
|
|
||||||
description: The user to run knot as.
|
|
||||||
type: str
|
|
||||||
default: knot
|
|
||||||
knot_server_group:
|
|
||||||
description: The group to run knot as.
|
|
||||||
type: str
|
|
||||||
default: knot
|
|
||||||
knot_server_identity:
|
|
||||||
description:
|
|
||||||
- Response to a C(id.server. CH TXT) or C(hostname.bind. CH TXT) query.
|
|
||||||
- Set to an empty value to disable.
|
|
||||||
- Defaults to C(ansible_facts.hostname).
|
|
||||||
type: str
|
|
||||||
knot_server_nsid:
|
|
||||||
description:
|
|
||||||
- The RFC 5001 NSID to include in responses when requested by the resolver.
|
|
||||||
- Set to an empty value to disable.
|
|
||||||
- Defaults to C(ansible_facts.hostname).
|
|
||||||
type: str
|
|
||||||
knot_server_version:
|
|
||||||
description:
|
|
||||||
- Response to a C(version.server. CH TXT) or C(version.bind. CH TXT) query.
|
|
||||||
- Set to an empty value to disable.
|
|
||||||
- Defaults to C(ansible_facts.hostname).
|
|
||||||
type: str
|
|
||||||
knot_server_listen:
|
|
||||||
description:
|
|
||||||
- The list of interfaces to listen on.
|
|
||||||
- Host and port are separated with an C(@) sign.
|
|
||||||
type: list
|
|
||||||
elements: str
|
|
||||||
default: ["::@53", "0.0.0.0@53"]
|
|
||||||
knot_dns_addresses:
|
|
||||||
description:
|
|
||||||
- Addresses under which the nameserver is reachable externally.
|
|
||||||
- Used for zone replication and notification and for KSK submission checks.
|
|
||||||
- Required to be set for all members of a replicated setup.
|
|
||||||
type: list
|
|
||||||
elements: str
|
|
||||||
default: []
|
|
||||||
|
|
||||||
knot_log_targets:
|
|
||||||
description:
|
|
||||||
- Logging configuration of Knot.
|
|
||||||
- Every entry is a dict consisting of at least a C(target) key.
|
|
||||||
- >-
|
|
||||||
Details on logging configuration can be found in the
|
|
||||||
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#log-section)
|
|
||||||
type: list
|
|
||||||
elements: dict
|
|
||||||
default:
|
|
||||||
- target: syslog
|
|
||||||
level: info
|
|
||||||
|
|
||||||
knot_zone_master_storage_path:
|
|
||||||
description: Location from where Knot should read zonefiles for which it is the primary server.
|
|
||||||
type: str
|
|
||||||
default: /var/lib/knot/master
|
|
||||||
knot_zone_replica_storage_path:
|
|
||||||
description: Location where Knot should store replicated zonefiles.
|
|
||||||
type: str
|
|
||||||
default: /var/lib/knot/replica
|
|
||||||
knot_zone_semantic_checks:
|
|
||||||
description: If set to C(on), Knot will perform additional zonefile checks.
|
|
||||||
type: str
|
|
||||||
default: 'on'
|
|
||||||
knot_zone_dnssec_signing:
|
|
||||||
description:
|
|
||||||
- If set to C(on), Knot will automatically configure DNSSEC zone signing.
|
|
||||||
- If set to C(off), Knot will not sign zones automatically.
|
|
||||||
type: str
|
|
||||||
default: 'on'
|
|
||||||
|
|
||||||
knot_dnssec_policy_algorithm:
|
|
||||||
description: The DNSSEC signing algorithm to use.
|
|
||||||
type: str
|
|
||||||
default: ed25519
|
|
||||||
knot_dnssec_policy_nsec3:
|
|
||||||
description:
|
|
||||||
- If set to C(on), C(NSEC3) is used instead of C(NSEC).
|
|
||||||
- If set to C(off), C(NSEC) is used, which allows full zone enumeration.
|
|
||||||
type: str
|
|
||||||
default: 'on'
|
|
||||||
knot_dnssec_policy_nsec3_salt_length:
|
|
||||||
description:
|
|
||||||
- Length of the NSEC3 salt field.
|
|
||||||
- >-
|
|
||||||
Use of a NSEC3 salt is discouraged by
|
|
||||||
U(RFC 9276,https://datatracker.ietf.org/doc/html/rfc9276#section-3.1).
|
|
||||||
type: int
|
|
||||||
default: 0
|
|
||||||
knot_dnssec_policy_ksk_size:
|
|
||||||
description:
|
|
||||||
- Size (in bits) of the KSK.
|
|
||||||
- >-
|
|
||||||
Permitted values in combination with O(knot_dnssec_policy_algorithm) are documented in the
|
|
||||||
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#ksk-size).
|
|
||||||
type: int
|
|
||||||
default: 256
|
|
||||||
knot_dnssec_policy_zsk_size:
|
|
||||||
description:
|
|
||||||
- Size (in bits) of the KSK.
|
|
||||||
- >-
|
|
||||||
Permitted values in combination with O(knot_dnssec_policy_algorithm) are documented in the
|
|
||||||
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#ksk-size).
|
|
||||||
type: int
|
|
||||||
default: 256
|
|
||||||
knot_dnssec_policy_zsk_lifetime:
|
|
||||||
description: Time after which the ZSK should be rotated automatically.
|
|
||||||
type: str
|
|
||||||
default: 30d
|
|
||||||
knot_dnssec_policy_ksk_lifetime:
|
|
||||||
description: Time after which the KSK should be rotated automatically.
|
|
||||||
type: str
|
|
||||||
default: "0"
|
|
||||||
knot_dnssec_policy_cds_publish:
|
|
||||||
description:
|
|
||||||
- If and when to publish C(CDS) and C(CDNSKEY) records.
|
|
||||||
- >-
|
|
||||||
Supported values and their meaning are documented in the
|
|
||||||
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#cds-cdnskey-publish)
|
|
||||||
- Do not use the C(double-ds) policy when performing automated KSK rollovers. It will break the chain of trust.
|
|
||||||
type: str
|
|
||||||
default: 'always'
|
|
||||||
knot_dnssec_policy_propagation_delay:
|
|
||||||
description: Additional time to wait before continuing with each step of a key rollover.
|
|
||||||
type: str
|
|
||||||
default: 1h
|
|
||||||
|
|
||||||
knot_dnssec_submission_check_interval:
|
|
||||||
description: How often during a KSK rollover Knot should check submission nameservers for the new DS RRSet.
|
|
||||||
type: str
|
|
||||||
default: 1h
|
|
||||||
knot_dnssec_submission_timeout:
|
|
||||||
description:
|
|
||||||
- >-
|
|
||||||
Time after which a KSK submission to the parent nameserver should automatically be considered successful,
|
|
||||||
even if the new DS RRSet has not been found on the submussion nameserver.
|
|
||||||
type: str
|
|
||||||
default: "0"
|
|
||||||
|
|
||||||
knot_tsig_key:
|
|
||||||
description:
|
|
||||||
- The TSIG key used by this host for zone transfers or updates.
|
|
||||||
- >-
|
|
||||||
This shared key will be configured automatically for all zones involving this host in
|
|
||||||
O(replicas) or O(updaters).
|
|
||||||
type: dict
|
|
||||||
default: null
|
|
||||||
options:
|
|
||||||
name:
|
|
||||||
description:
|
|
||||||
- The name of the key.
|
|
||||||
- Should be a FQDN including the trailing C(.), e.g. C(tsig.hostname.example.org.).
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
algorithm:
|
|
||||||
description: The key algorithm, e.g. C(hmac-sha384).
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
secret:
|
|
||||||
description:
|
|
||||||
- The shared secret of this key.
|
|
||||||
- Generate a new key with e.g. C(keymgr -t tsig.foo.example.org. hmac-sha384).
|
|
||||||
- This is a secret. Protect it e.g. with C(ansible-vault)!
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
|
|
||||||
knot_zone_*:
|
|
||||||
description:
|
|
||||||
- Zone configurations, one top-level dict per zone.
|
|
||||||
- >-
|
|
||||||
Recomendation: You can use an arbitrary string after C(knot_zone_), but we recommend to use the zone name
|
|
||||||
with C(.) replaced by (_).
|
|
||||||
- "Recommendation: Keep one file per zone in C(group_vars/nameservers/zones/zone_<zonename>.yml)."
|
|
||||||
type: dict
|
|
||||||
required: false
|
|
||||||
options:
|
|
||||||
name:
|
|
||||||
description: Fully qualified name of the zone, including the trailing C(.).
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
soa:
|
|
||||||
description: Contains the values required to synthesize the C(SOA) record of the zone apex.
|
|
||||||
type: dict
|
|
||||||
required: true
|
|
||||||
options:
|
|
||||||
class:
|
|
||||||
description: Class for the records in this zone, usually C(IN).
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
primary:
|
|
||||||
description:
|
|
||||||
- FQDN of the autoritative nameserver of the zone.
|
|
||||||
- Also known as C(MNAME).
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
rname:
|
|
||||||
description:
|
|
||||||
- Email address of the administrator.
|
|
||||||
- The C(@) must be replaced with a C(.).
|
|
||||||
- C(.) in the localpart must be escaled as C(\.).
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
refresh:
|
|
||||||
description:
|
|
||||||
- How often (in seconds) replicas should query the primary for SOA changes.
|
|
||||||
type: int
|
|
||||||
required: true
|
|
||||||
retry:
|
|
||||||
description:
|
|
||||||
- How long (in seconds) replicas should wait to retry a failed zone transfer.
|
|
||||||
type: int
|
|
||||||
required: true
|
|
||||||
expire:
|
|
||||||
description:
|
|
||||||
- How long after the last update (in seconds) replicas should stop serving a zone.
|
|
||||||
type: int
|
|
||||||
required: true
|
|
||||||
ttl:
|
|
||||||
description:
|
|
||||||
- Default TTL (in seconds) for all entries in the zone, and TTL of the SOA record.
|
|
||||||
type: int
|
|
||||||
required: true
|
|
||||||
min_ttl:
|
|
||||||
description:
|
|
||||||
- TTL (in seconds) of negative responses.
|
|
||||||
type: int
|
|
||||||
required: true
|
|
||||||
records:
|
|
||||||
description:
|
|
||||||
- All the records in this zone go here.
|
|
||||||
type: list
|
|
||||||
elements: dict
|
|
||||||
options:
|
|
||||||
name:
|
|
||||||
description:
|
|
||||||
- Name of the record.
|
|
||||||
- Records without a trailing C(.) are relative to the zone apex.
|
|
||||||
- Use C(@) to refer to the zone apex itself.
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
ttl:
|
|
||||||
description:
|
|
||||||
- TTL of this record.
|
|
||||||
- If omitted, defaults to the zone TTL set in the O(soa) section.
|
|
||||||
type: int
|
|
||||||
class:
|
|
||||||
description:
|
|
||||||
- Class of this record.
|
|
||||||
- If omitted, defaults to the class set in the O(soa) section.
|
|
||||||
type: str
|
|
||||||
type:
|
|
||||||
description: Type of the record, e.g. C(AAAA), C(A) or C(CNAME).
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
value:
|
|
||||||
description:
|
|
||||||
- Value of the record.
|
|
||||||
- >-
|
|
||||||
Length restrictions for TXT records apply. Subdivide them with single-quoted double quotes
|
|
||||||
e.g. C('"first part of the txt record " "second part of the txt record"')
|
|
||||||
type: str
|
|
||||||
required: true
|
|
||||||
masters:
|
|
||||||
description:
|
|
||||||
- Hostnames of servers which should act as a primary for this zone.
|
|
||||||
- Zonefile will be deployed to hosts whose C(inventory_hostname) is contained in this list.
|
|
||||||
type: list
|
|
||||||
default: []
|
|
||||||
replicas:
|
|
||||||
description:
|
|
||||||
- Hostnames of servers which should at as a replica for this zone.
|
|
||||||
- >-
|
|
||||||
Hosts whose C(inventory_hostname) is contained in this list are automatically configured
|
|
||||||
to replicate this zone.
|
|
||||||
updaters:
|
|
||||||
description:
|
|
||||||
- Hostnames of servers which should be permitted to submit TSIG zone updates for this zone.
|
|
||||||
- >-
|
|
||||||
The O(knot_tsig_key)s of hosts whose C(inventory_hostname) is contained in this list are configured as
|
|
||||||
permitted TSIG updaters for this zone.
|
|
||||||
- The inventory entry for this host can be a dummy. Its hostvars are only used to fetch the key.
|
|
||||||
parents:
|
|
||||||
description:
|
|
||||||
- Hostnames of servers which should be checked for KSK submissions.
|
|
||||||
- >-
|
|
||||||
The O(knot_dns_addresses) of hosts whose C(inventory_hostname) is contained in this list are configured
|
|
||||||
as KSK submission servers, which are regularly checked to verify the upstream DS RRSet.
|
|
||||||
- The inventory entry for this host can be a dummy. Its hostvars are only used to hold its IPs.
|
|
||||||
algorithm:
|
|
||||||
description: Zone-specific override for O(knot_dnssec_policy_algorithm).
|
|
||||||
type: str
|
|
||||||
ksk_size:
|
|
||||||
description: Zone-specific override for O(knot_dnssec_policy_ksk_size).
|
|
||||||
type: str
|
|
||||||
zsk_size:
|
|
||||||
description: Zone-specific override for O(knot_dnssec_policy_zsk_size).
|
|
||||||
type: str
|
|
||||||
ksk_lifetime:
|
|
||||||
description: Zone-specific override for O(knot_dnssec_policy_ksk_lifetime).
|
|
||||||
type: str
|
|
||||||
zsk_lifetime:
|
|
||||||
description: Zone-specific override for O(knot_dnssec_policy_zsk_lifetime).
|
|
||||||
type: str
|
|
||||||
propagation_delay:
|
|
||||||
description: Zone-specific override for O(knot_dnssec_policy_propagation_delay).
|
|
||||||
type: str
|
|
||||||
cds_cdnskey_publish:
|
|
||||||
description: Zone-specific override for O(knot_dnssec_policy_cds_publish).
|
|
||||||
type: str
|
|
||||||
sign_on_secondary:
|
|
||||||
description:
|
|
||||||
- Whether Knot should sign this zone even if it is not the primary nameserver.
|
|
||||||
- Useful if Knot is used with a hidden primary that does not support DNSSEC.
|
|
||||||
type: bool
|
|
||||||
default: false
|
|
||||||
replicate:
|
|
||||||
description:
|
|
||||||
- >-
|
|
||||||
Note: This option is used for more complex replication hierarchies. Chances are you want to use
|
|
||||||
O(replicas) instead.
|
|
||||||
- Configure further replication to other nameservers even if the server is already a replica itself.
|
|
||||||
- This works in addition to the replication configured through O(masters)/O(replicas).
|
|
||||||
- Takes a dict where each upstream is mapped to a list of downstreams.
|
|
||||||
type: dict
|
|
||||||
default: {}
|
|
|
@ -1,60 +1,12 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Render knot master config
|
- name: render knot master config
|
||||||
ansible.builtin.template:
|
template:
|
||||||
src: etc/knot/knot.conf.j2
|
src: etc/knot/knot.conf.j2
|
||||||
dest: /etc/knot/knot.conf
|
dest: /etc/knot/knot.conf
|
||||||
owner: knot
|
owner: knot
|
||||||
group: knot
|
group: knot
|
||||||
mode: "0640"
|
mode: 0640
|
||||||
vars:
|
vars:
|
||||||
zones: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
zones: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
||||||
notify: restart knot
|
|
||||||
|
|
||||||
- name: Create knot zone directories
|
|
||||||
ansible.builtin.file:
|
|
||||||
path: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
owner: knot
|
|
||||||
group: knot
|
|
||||||
mode: "0750"
|
|
||||||
loop:
|
|
||||||
- "{{ knot_zone_master_storage_path }}"
|
|
||||||
- "{{ knot_zone_replica_storage_path }}"
|
|
||||||
|
|
||||||
- name: Make sure all zones have a name
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- "'name' in item.value"
|
|
||||||
- "item.value.name | type_debug == 'str'"
|
|
||||||
fail_msg: "{{ item.key }} does not have a name"
|
|
||||||
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | list }}"
|
|
||||||
|
|
||||||
- name: Make sure all zones have at least one master defined
|
|
||||||
ansible.builtin.assert:
|
|
||||||
that:
|
|
||||||
- "'masters' in item.value"
|
|
||||||
- "item.value.masters | type_debug == 'list'"
|
|
||||||
- "item.value.masters | length > 0"
|
|
||||||
fail_msg: "{{ item.key }} does not have a zone master"
|
|
||||||
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | list }}"
|
|
||||||
|
|
||||||
- name: Render knot zone files
|
|
||||||
ansible.builtin.template:
|
|
||||||
src: var/lib/knot/master/zone.j2
|
|
||||||
dest: "{{ knot_zone_master_storage_path }}/{{ item.name }}zone"
|
|
||||||
owner: knot
|
|
||||||
group: knot
|
|
||||||
mode: "0640"
|
|
||||||
validate: "/usr/bin/kzonecheck -o {{ item.name }} -v %s"
|
|
||||||
vars:
|
|
||||||
zone: "{{ item }}"
|
|
||||||
when: "inventory_hostname in item['masters']"
|
|
||||||
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
|
||||||
notify: reload knot
|
notify: reload knot
|
||||||
|
|
||||||
- name: Start and enable knot
|
|
||||||
ansible.builtin.service:
|
|
||||||
name: knot
|
|
||||||
state: started
|
|
||||||
enabled: true
|
|
||||||
|
|
|
@ -1,18 +1,15 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Install knot repository
|
- name: install dependencies
|
||||||
ansible.builtin.deb822_repository:
|
package:
|
||||||
name: knot
|
name: knot
|
||||||
types: deb
|
state: present
|
||||||
uris: "{{ knot_repository_url }}"
|
loop:
|
||||||
suites: "{{ knot_repository_distribution }}"
|
|
||||||
components: main
|
|
||||||
signed_by: https://deb.knot-dns.cz/apt.gpg
|
|
||||||
when: knot_repository_install
|
|
||||||
|
|
||||||
- name: Install dependencies
|
|
||||||
ansible.builtin.package:
|
|
||||||
name:
|
|
||||||
- knot
|
- knot
|
||||||
- knot-dnsutils
|
- knot-dnsutils
|
||||||
- knot-dnssecutils
|
|
||||||
|
- name: start and enable knot
|
||||||
|
service:
|
||||||
|
name: knot
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
|
@ -1,14 +1,19 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
- name: Install knot
|
- name: install knot
|
||||||
ansible.builtin.import_tasks: install.yml
|
import_tasks: install.yml
|
||||||
tags:
|
tags:
|
||||||
- "role::knot"
|
- "role::knot"
|
||||||
- "role::knot:install"
|
- "role::knot:install"
|
||||||
|
|
||||||
- name: Configure knot
|
- name: render zonefiles
|
||||||
ansible.builtin.import_tasks: config.yml
|
import_tasks: zones.yml
|
||||||
|
tags:
|
||||||
|
- "role::knot"
|
||||||
|
- "role::knot:zones"
|
||||||
|
|
||||||
|
- name: configure knot
|
||||||
|
import_tasks: config.yml
|
||||||
tags:
|
tags:
|
||||||
- "role::knot"
|
- "role::knot"
|
||||||
- "role::knot:config"
|
- "role::knot:config"
|
||||||
- "role::knot:zones" # Backwards compat; this used to be a separate file
|
|
||||||
|
|
43
roles/knot/tasks/zones.yml
Normal file
43
roles/knot/tasks/zones.yml
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: create knot zone directories
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: knot
|
||||||
|
group: knot
|
||||||
|
mode: 0750
|
||||||
|
loop:
|
||||||
|
- "{{ knot_zone_master_storage_path }}"
|
||||||
|
- "{{ knot_zone_replica_storage_path }}"
|
||||||
|
|
||||||
|
- name: make sure all zones have a name
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "'name' in item.value"
|
||||||
|
- "item.value.name | type_debug == 'str'"
|
||||||
|
fail_msg: "{{ item.key }} does not have a name"
|
||||||
|
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | list }}"
|
||||||
|
|
||||||
|
- name: make sure all zones have at least one master defined
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- "'masters' in item.value"
|
||||||
|
- "item.value.masters | type_debug == 'list'"
|
||||||
|
- "item.value.masters | length > 0"
|
||||||
|
fail_msg: "{{ item.key }} does not have a zone master"
|
||||||
|
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | list }}"
|
||||||
|
|
||||||
|
- name: render knot zone files
|
||||||
|
template:
|
||||||
|
src: var/lib/knot/master/zone.j2
|
||||||
|
dest: "{{ knot_zone_master_storage_path }}/{{ item.name }}zone"
|
||||||
|
owner: knot
|
||||||
|
group: knot
|
||||||
|
mode: 0640
|
||||||
|
validate: /usr/bin/kzonecheck -v %s
|
||||||
|
vars:
|
||||||
|
zone: "{{ item }}"
|
||||||
|
when: "inventory_hostname in item['masters']"
|
||||||
|
loop: "{{ hostvars[inventory_hostname] | dict2items | selectattr('key', 'match', '^knot_zone_.+$') | map(attribute='value') | list }}"
|
||||||
|
notify: reload knot
|
|
@ -35,7 +35,7 @@ key:
|
||||||
|
|
||||||
|
|
||||||
remote:
|
remote:
|
||||||
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='parents') | select('defined') ) ) | flatten | unique %}
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) ) | flatten | unique %}
|
||||||
|
|
||||||
- id: remote-{{ remote }}
|
- id: remote-{{ remote }}
|
||||||
{% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
|
{% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
|
||||||
|
@ -48,7 +48,7 @@ remote:
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
acl:
|
acl:
|
||||||
{% for remote in ( zones | map(attribute='replicas') ) | flatten | unique %}
|
{% for remote in zones | map(attribute='replicas') | flatten | unique %}
|
||||||
|
|
||||||
- id: acl-xfr-{{ remote }}
|
- id: acl-xfr-{{ remote }}
|
||||||
action: transfer
|
action: transfer
|
||||||
|
@ -56,7 +56,7 @@ acl:
|
||||||
key: {{ hostvars[remote].knot_tsig_key.name }}
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||||
address: "{{ address.split('@')[0] }}"
|
address: "{{ address }}"
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
@ -68,7 +68,7 @@ acl:
|
||||||
key: {{ hostvars[remote].knot_tsig_key.name }}
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% for address in hostvars[remote].knot_dns_addresses %}
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
||||||
address: "{{ address.split('@')[0] }}"
|
address: "{{ address }}"
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
@ -84,36 +84,17 @@ acl:
|
||||||
# MASTER ZONES
|
# MASTER ZONES
|
||||||
#
|
#
|
||||||
|
|
||||||
submission:
|
|
||||||
{% for zone in zones %}
|
|
||||||
{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}
|
|
||||||
|
|
||||||
- id: submission-{{ zone.name }}
|
|
||||||
check-interval: {{ knot_dnssec_submission_check_interval }}
|
|
||||||
timeout: {{ knot_dnssec_submission_timeout }}
|
|
||||||
{% if zone.parents is defined and zone.parents | length > 0 %}
|
|
||||||
parent:{% for parent in zone.parents %} remote-{{ parent }}{% endfor %}
|
|
||||||
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
policy:
|
policy:
|
||||||
{% for zone in zones %}
|
{% for zone in zones %}
|
||||||
{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}
|
{% if inventory_hostname in zone.masters %}
|
||||||
|
|
||||||
- id: dnssec-{{ zone.name }}
|
- id: dnssec-{{ zone.name }}
|
||||||
algorithm: {{ zone.algorithm | default(knot_dnssec_policy_algorithm) }}
|
algorithm: {{ knot_dnssec_policy_algorithm }}
|
||||||
nsec3: {{ zone.nsec3 | default(knot_dnssec_policy_nsec3) }}
|
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
||||||
nsec3-salt-length: {{ zone.nsec3_salt_length | default(knot_dnssec_policy_nsec3_salt_length) }}
|
ksk-size: {{ knot_dnssec_policy_ksk_size }}
|
||||||
ksk-size: {{ zone.ksk_size | default(knot_dnssec_policy_ksk_size) }}
|
zsk-size: {{ knot_dnssec_policy_zsk_size }}
|
||||||
zsk-size: {{ zone.zsk_size | default(knot_dnssec_policy_zsk_size) }}
|
|
||||||
zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}
|
|
||||||
ksk-lifetime: {{ zone.ksk_lifetime | default(knot_dnssec_policy_ksk_lifetime) }}
|
|
||||||
ksk-submission: submission-{{ zone.name }}
|
|
||||||
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
||||||
propagation-delay: {{ zone.propagation_delay | default(knot_dnssec_policy_propagation_delay) }}
|
cds-cdnskey-publish: {{ knot_dnssec_policy_cds_publish }}
|
||||||
cds-cdnskey-publish: {{ zone.cds_cdnskey_publish | default(knot_dnssec_policy_cds_publish) }}
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
@ -125,9 +106,7 @@ zone:
|
||||||
storage: {{ knot_zone_master_storage_path }}
|
storage: {{ knot_zone_master_storage_path }}
|
||||||
semantic-checks: {{ knot_zone_semantic_checks }}
|
semantic-checks: {{ knot_zone_semantic_checks }}
|
||||||
serial-policy: unixtime
|
serial-policy: unixtime
|
||||||
zonefile-load: difference-no-serial
|
zonefile-load: difference
|
||||||
zonefile-sync: -1
|
|
||||||
journal-content: all
|
|
||||||
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
||||||
dnssec-policy: dnssec-{{ zone.name }}
|
dnssec-policy: dnssec-{{ zone.name }}
|
||||||
{% for replica in zone.replicas %}
|
{% for replica in zone.replicas %}
|
||||||
|
@ -159,19 +138,9 @@ zone:
|
||||||
{% for master in zone.masters %}
|
{% for master in zone.masters %}
|
||||||
acl: acl-notify-{{ master }}
|
acl: acl-notify-{{ master }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% for xfer in (zone.replicate | default({})).get(inventory_hostname, []) %}
|
|
||||||
acl: acl-xfr-{{ xfer }}
|
|
||||||
{% endfor %}
|
|
||||||
{% for master in zone.masters %}
|
{% for master in zone.masters %}
|
||||||
master: remote-{{ master }}
|
master: remote-{{ master }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% for notify in (zone.replicate | default({})).get(inventory_hostname, []) %}
|
|
||||||
notify: remote-{{ notify }}
|
|
||||||
{% endfor %}
|
|
||||||
{% if zone.sign_on_secondary | default(false) %}
|
|
||||||
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
|
||||||
dnssec-policy: dnssec-{{ zone.name }}
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
$TTL {{ zone.soa.ttl }}
|
$TTL {{ zone.soa.ttl }}
|
||||||
|
|
||||||
@ {{ zone.soa.class }} SOA {{ zone.soa.primary }}. {{ zone.soa.rname }}. (
|
@ {{ zone.soa.class }} SOA {{ zone.soa.primary }}. {{ zone.soa.rname }}. (
|
||||||
0 ; serial (ignored by knot, uses unixtime instead)
|
{{ ansible_date_time.epoch }} ; serial
|
||||||
{{ zone.soa.refresh }} ; refresh
|
{{ zone.soa.refresh }} ; refresh
|
||||||
{{ zone.soa.retry }} ; retry
|
{{ zone.soa.retry }} ; retry
|
||||||
{{ zone.soa.expire }} ; expire
|
{{ zone.soa.expire }} ; expire
|
||||||
|
|
Loading…
Reference in a new issue