170 lines
5 KiB
Django/Jinja
170 lines
5 KiB
Django/Jinja
{{ ansible_managed | comment }}
|
|
|
|
# See knot.conf(5) or refer to the server documentation.
|
|
|
|
server:
|
|
rundir: "{{ knot_server_rundir }}"
|
|
user: "{{ knot_server_user }}:{{ knot_server_group }}"
|
|
identity: "{{ knot_server_identity }}"
|
|
nsid: "{{ knot_server_nsid }}"
|
|
{% for addr in knot_server_listen %}
|
|
listen: "{{ addr }}"
|
|
{% endfor %}
|
|
|
|
log:
|
|
{% for target in knot_log_targets %}
|
|
|
|
- target: "{{ target.target }}"
|
|
any: "{{ target.level }}"
|
|
{% endfor %}
|
|
|
|
|
|
#
|
|
# ALL KNOWN REMOTES, TSIG KEYS AND ACLs
|
|
#
|
|
|
|
key:
|
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='updaters') | select('defined') ) ) | flatten | unique %}
|
|
{% if 'knot_tsig_key' in hostvars[remote] %}
|
|
|
|
- id: {{ hostvars[remote].knot_tsig_key.name }}
|
|
algorithm: {{ hostvars[remote].knot_tsig_key.algorithm }}
|
|
secret: {{ hostvars[remote].knot_tsig_key.secret }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
|
|
remote:
|
|
{% for remote in ( (zones | map(attribute='replicas') ) + (zones | map(attribute='masters') ) + (zones | map(attribute='parents') | select('defined') ) ) | flatten | unique %}
|
|
|
|
- id: remote-{{ remote }}
|
|
{% if knot_tsig_key is defined and 'knot_tsig_key' in hostvars[remote] %}
|
|
{# only use TSIG mutually, i.e. if both parties have a key #}
|
|
key: {{ knot_tsig_key.name }}
|
|
{% endif %}
|
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
|
address: "{{ address }}"
|
|
{% endfor %}
|
|
{% endfor %}
|
|
|
|
acl:
|
|
{% for remote in zones | map(attribute='replicas') | flatten | unique %}
|
|
|
|
- id: acl-xfr-{{ remote }}
|
|
action: transfer
|
|
{% if 'knot_tsig_key' in hostvars[remote] %}
|
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
|
{% endif %}
|
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
|
address: "{{ address }}"
|
|
{% endfor %}
|
|
{% endfor %}
|
|
|
|
{% for remote in zones | map(attribute='masters') | flatten | unique %}
|
|
|
|
- id: acl-notify-{{ remote }}
|
|
action: notify
|
|
{% if 'knot_tsig_key' in hostvars[remote] %}
|
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
|
{% endif %}
|
|
{% for address in hostvars[remote].knot_dns_addresses %}
|
|
address: "{{ address.split('@')[0] }}"
|
|
{% endfor %}
|
|
{% endfor %}
|
|
|
|
{% for remote in zones | map(attribute='updaters') | select('defined') | flatten | unique %}
|
|
|
|
- id: acl-update-{{ remote }}
|
|
action: update
|
|
key: {{ hostvars[remote].knot_tsig_key.name }}
|
|
{% endfor %}
|
|
|
|
|
|
#
|
|
# MASTER ZONES
|
|
#
|
|
|
|
submission:
|
|
{% for zone in zones %}
|
|
{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}
|
|
|
|
- id: submission-{{ zone.name }}
|
|
check-interval: {{ knot_dnssec_submission_check_interval }}
|
|
timeout: {{ knot_dnssec_submission_timeout }}
|
|
{% if zone.parents is defined and zone.parents | length > 0 %}
|
|
parent:{% for parent in zone.parents %} remote-{{ parent }}{% endfor %}
|
|
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
policy:
|
|
{% for zone in zones %}
|
|
{% if inventory_hostname in zone.masters or (inventory_hostname in zone.replicas and zone.sign_on_secondary | default(false)) %}
|
|
|
|
- id: dnssec-{{ zone.name }}
|
|
algorithm: {{ zone.algorithm | default(knot_dnssec_policy_algorithm) }}
|
|
nsec3: {{ knot_dnssec_policy_nsec3 }}
|
|
ksk-size: {{ zone.ksk_size | default(knot_dnssec_policy_ksk_size) }}
|
|
zsk-size: {{ zone.zsk_size | default(knot_dnssec_policy_zsk_size) }}
|
|
zsk-lifetime: {{ zone.zsk_lifetime | default(knot_dnssec_policy_zsk_lifetime) }}
|
|
ksk-lifetime: {{ zone.ksk_lifetime | default(knot_dnssec_policy_ksk_lifetime) }}
|
|
ksk-submission: submission-{{ zone.name }}
|
|
ksk-shared: {{ knot_dnssec_policy_ksk_shared }}
|
|
propagation-delay: {{ zone.propagation_delay | default(knot_dnssec_policy_propagation_delay) }}
|
|
cds-cdnskey-publish: {{ zone.cds_cdnskey_publish | default(knot_dnssec_policy_cds_publish) }}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
zone:
|
|
{% for zone in zones %}
|
|
{% if inventory_hostname in zone.masters %}
|
|
|
|
- domain: {{ zone.name }}
|
|
storage: {{ knot_zone_master_storage_path }}
|
|
semantic-checks: {{ knot_zone_semantic_checks }}
|
|
serial-policy: unixtime
|
|
zonefile-load: difference
|
|
zonefile-sync: -1
|
|
journal-content: changes
|
|
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
|
dnssec-policy: dnssec-{{ zone.name }}
|
|
{% for replica in zone.replicas %}
|
|
acl: acl-xfr-{{ replica }}
|
|
{% endfor %}
|
|
{% if 'updaters' in zone %}
|
|
{% for updater in zone.updaters %}
|
|
acl: acl-update-{{ updater }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% for replica in zone.replicas %}
|
|
notify: remote-{{ replica }}
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
|
|
#
|
|
# REPLICA ZONES
|
|
#
|
|
|
|
zone:
|
|
{% for zone in zones %}
|
|
{% if inventory_hostname in zone.replicas %}
|
|
|
|
- domain: {{ zone.name }}
|
|
storage: {{ knot_zone_replica_storage_path }}
|
|
serial-policy: unixtime
|
|
{% for master in zone.masters %}
|
|
acl: acl-notify-{{ master }}
|
|
{% endfor %}
|
|
{% for master in zone.masters %}
|
|
master: remote-{{ master }}
|
|
{% endfor %}
|
|
{% if zone.sign_on_secondary | default(false) %}
|
|
dnssec-signing: {{ knot_zone_dnssec_signing }}
|
|
dnssec-policy: dnssec-{{ zone.name }}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
|