ansible-collection-nameserver/roles/knot/meta/argument_specs.yml
s3lph c7d1cde8c3
All checks were successful
Ansible Lint / build (push) Successful in 1m25s
Ansible Galaxy / deploy (push) Successful in 1m57s
feat: add knot_dnssec_policy_nsec3_salt_length to argument_specs.yml
2024-06-05 01:19:06 +02:00

365 lines
15 KiB
YAML

---
argument_specs:
main:
version_added: "0.0.1"
short_description: Install and configure Knot.
description:
- Install and configure the L(Knot,https://knot.readthedocs.io/en/latest/index.html) authoritative namesever.
- Zones are configured through YAML hostvars, rather than simply deploying zone files.
- "Execution of this role can be limited using the following tags:"
- "C(role::knot:install): Install knot from distribution packages or upstream repositories."
- "C(role::knot:config): Render the Knot configuration file."
- "C(role::knot:zones): Render the zone files for which Knot is authoritative."
- "C(role::knot): Apply all of the above."
author: s3lph
options:
knot_repository_install:
description:
- If true, install knot from the L(upstream repositories,https://deb.knot-dns.cz/knot/).
- If false, install knot from the default system repositories.
type: bool
default: false
knot_repository_url:
description: URL of the upstream repository.
type: str
default: https://deb.knot-dns.cz/knot/
knot_repository_distribution:
description:
- Suite name (distribution codename) of the upstream repository.
- Defaults to the value of C(ansible_facts.distribution_release).
type: str
knot_server_rundir:
description: Runtime directory where Knot should e.g. write its control socket to.
type: str
default: /run/knot
knot_server_user:
description: The user to run knot as.
type: str
default: knot
knot_server_group:
description: The group to run knot as.
type: str
default: knot
knot_server_identity:
description:
- Response to a C(id.server. CH TXT) or C(hostname.bind. CH TXT) query.
- Set to an empty value to disable.
- Defaults to C(ansible_facts.hostname).
type: str
knot_server_nsid:
description:
- The RFC 5001 NSID to include in responses when requested by the resolver.
- Set to an empty value to disable.
- Defaults to C(ansible_facts.hostname).
type: str
knot_server_version:
description:
- Response to a C(version.server. CH TXT) or C(version.bind. CH TXT) query.
- Set to an empty value to disable.
- Defaults to C(ansible_facts.hostname).
type: str
knot_server_listen:
description:
- The list of interfaces to listen on.
- Host and port are separated with an C(@) sign.
type: list
elements: str
default: ["::@53", "0.0.0.0@53"]
knot_dns_addresses:
description:
- Addresses under which the nameserver is reachable externally.
- Used for zone replication and notification and for KSK submission checks.
- Required to be set for all members of a replicated setup.
type: list
elements: str
default: []
knot_log_targets:
description:
- Logging configuration of Knot.
- Every entry is a dict consisting of at least a C(target) key.
- >-
Details on logging configuration can be found in the
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#log-section)
type: list
elements: dict
default:
- target: syslog
level: info
knot_zone_master_storage_path:
description: Location from where Knot should read zonefiles for which it is the primary server.
type: str
default: /var/lib/knot/master
knot_zone_replica_storage_path:
description: Location where Knot should store replicated zonefiles.
type: str
default: /var/lib/knot/replica
knot_zone_semantic_checks:
description: If set to C(on), Knot will perform additional zonefile checks.
type: str
default: 'on'
knot_zone_dnssec_signing:
description:
- If set to C(on), Knot will automatically configure DNSSEC zone signing.
- If set to C(off), Knot will not sign zones automatically.
type: str
default: 'on'
knot_dnssec_policy_algorithm:
description: The DNSSEC signing algorithm to use.
type: str
default: ed25519
knot_dnssec_policy_nsec3:
description:
- If set to C(on), C(NSEC3) is used instead of C(NSEC).
- If set to C(off), C(NSEC) is used, which allows full zone enumeration.
type: str
default: 'on'
knot_dnssec_policy_nsec3_salt_length:
description:
- Length of the NSEC3 salt field.
- >-
Use of a NSEC3 salt is discouraged by
U(RFC 9276,https://datatracker.ietf.org/doc/html/rfc9276#section-3.1).
type: int
default: 0
knot_dnssec_policy_ksk_size:
description:
- Size (in bits) of the KSK.
- >-
Permitted values in combination with O(knot_dnssec_policy_algorithm) are documented in the
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#ksk-size).
type: int
default: 256
knot_dnssec_policy_zsk_size:
description:
- Size (in bits) of the KSK.
- >-
Permitted values in combination with O(knot_dnssec_policy_algorithm) are documented in the
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#ksk-size).
type: int
default: 256
knot_dnssec_policy_zsk_lifetime:
description: Time after which the ZSK should be rotated automatically.
type: str
default: 30d
knot_dnssec_policy_ksk_lifetime:
description: Time after which the KSK should be rotated automatically.
type: str
default: "0"
knot_dnssec_policy_cds_publish:
description:
- If and when to publish C(CDS) and C(CDNSKEY) records.
- >-
Supported values and their meaning are documented in the
U(upstream documentation,https://knot.readthedocs.io/en/latest/reference.html#cds-cdnskey-publish)
- Do not use the C(double-ds) policy when performing automated KSK rollovers. It will break the chain of trust.
type: str
default: 'always'
knot_dnssec_policy_propagation_delay:
description: Additional time to wait before continuing with each step of a key rollover.
type: str
default: 1h
knot_dnssec_submission_check_interval:
description: How often during a KSK rollover Knot should check submission nameservers for the new DS RRSet.
type: str
default: 1h
knot_dnssec_submission_timeout:
description:
- >-
Time after which a KSK submission to the parent nameserver should automatically be considered successful,
even if the new DS RRSet has not been found on the submussion nameserver.
type: str
default: "0"
knot_tsig_key:
description:
- The TSIG key used by this host for zone transfers or updates.
- >-
This shared key will be configured automatically for all zones involving this host in
O(replicas) or O(updaters).
type: dict
default: null
options:
name:
description:
- The name of the key.
- Should be a FQDN including the trailing C(.), e.g. C(tsig.hostname.example.org.).
type: str
required: true
algorithm:
description: The key algorithm, e.g. C(hmac-sha384).
type: str
required: true
secret:
description:
- The shared secret of this key.
- Generate a new key with e.g. C(keymgr -t tsig.foo.example.org. hmac-sha384).
- This is a secret. Protect it e.g. with C(ansible-vault)!
type: str
required: true
knot_zone_*:
description:
- Zone configurations, one top-level dict per zone.
- >-
Recomendation: You can use an arbitrary string after C(knot_zone_), but we recommend to use the zone name
with C(.) replaced by (_).
- "Recommendation: Keep one file per zone in C(group_vars/nameservers/zones/zone_<zonename>.yml)."
type: dict
required: false
options:
name:
description: Fully qualified name of the zone, including the trailing C(.).
type: str
required: true
soa:
description: Contains the values required to synthesize the C(SOA) record of the zone apex.
type: dict
required: true
options:
class:
description: Class for the records in this zone, usually C(IN).
type: str
required: true
primary:
description:
- FQDN of the autoritative nameserver of the zone.
- Also known as C(MNAME).
type: str
required: true
rname:
description:
- Email address of the administrator.
- The C(@) must be replaced with a C(.).
- C(.) in the localpart must be escaled as C(\.).
type: str
required: true
refresh:
description:
- How often (in seconds) replicas should query the primary for SOA changes.
type: int
required: true
retry:
description:
- How long (in seconds) replicas should wait to retry a failed zone transfer.
type: int
required: true
expire:
description:
- How long after the last update (in seconds) replicas should stop serving a zone.
type: int
required: true
ttl:
description:
- Default TTL (in seconds) for all entries in the zone, and TTL of the SOA record.
type: int
required: true
min_ttl:
description:
- TTL (in seconds) of negative responses.
type: int
required: true
records:
description:
- All the records in this zone go here.
type: list
elements: dict
options:
name:
description:
- Name of the record.
- Records without a trailing C(.) are relative to the zone apex.
- Use C(@) to refer to the zone apex itself.
type: str
required: true
ttl:
description:
- TTL of this record.
- If omitted, defaults to the zone TTL set in the O(soa) section.
type: int
class:
description:
- Class of this record.
- If omitted, defaults to the class set in the O(soa) section.
type: str
type:
description: Type of the record, e.g. C(AAAA), C(A) or C(CNAME).
type: str
required: true
value:
description:
- Value of the record.
- >-
Length restrictions for TXT records apply. Subdivide them with single-quoted double quotes
e.g. C('"first part of the txt record " "second part of the txt record"')
type: str
required: true
masters:
description:
- Hostnames of servers which should act as a primary for this zone.
- Zonefile will be deployed to hosts whose C(inventory_hostname) is contained in this list.
type: list
default: []
replicas:
description:
- Hostnames of servers which should at as a replica for this zone.
- >-
Hosts whose C(inventory_hostname) is contained in this list are automatically configured
to replicate this zone.
updaters:
description:
- Hostnames of servers which should be permitted to submit TSIG zone updates for this zone.
- >-
The O(knot_tsig_key)s of hosts whose C(inventory_hostname) is contained in this list are configured as
permitted TSIG updaters for this zone.
- The inventory entry for this host can be a dummy. Its hostvars are only used to fetch the key.
parents:
description:
- Hostnames of servers which should be checked for KSK submissions.
- >-
The O(knot_dns_addresses) of hosts whose C(inventory_hostname) is contained in this list are configured
as KSK submission servers, which are regularly checked to verify the upstream DS RRSet.
- The inventory entry for this host can be a dummy. Its hostvars are only used to hold its IPs.
algorithm:
description: Zone-specific override for O(knot_dnssec_policy_algorithm).
type: str
ksk_size:
description: Zone-specific override for O(knot_dnssec_policy_ksk_size).
type: str
zsk_size:
description: Zone-specific override for O(knot_dnssec_policy_zsk_size).
type: str
ksk_lifetime:
description: Zone-specific override for O(knot_dnssec_policy_ksk_lifetime).
type: str
zsk_lifetime:
description: Zone-specific override for O(knot_dnssec_policy_zsk_lifetime).
type: str
propagation_delay:
description: Zone-specific override for O(knot_dnssec_policy_propagation_delay).
type: str
cds_cdnskey_publish:
description: Zone-specific override for O(knot_dnssec_policy_cds_publish).
type: str
sign_on_secondary:
description:
- Whether Knot should sign this zone even if it is not the primary nameserver.
- Useful if Knot is used with a hidden primary that does not support DNSSEC.
type: bool
default: false
replicate:
description:
- >-
Note: This option is used for more complex replication hierarchies. Chances are you want to use
O(replicas) instead.
- Configure further replication to other nameservers even if the server is already a replica itself.
- This works in addition to the replication configured through O(masters)/O(replicas).
- Takes a dict where each upstream is mapped to a list of downstreams.
type: dict
default: {}