commit 44f08c186015463274c17e85aca9c8469defa422 Author: Gaël Berthaud-Müller Date: Fri Jul 30 11:15:36 2021 +0200 init config diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..61f83e2 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,17 @@ +image: ansible/ansible-runner + +before_script: + # from https://docs.gitlab.com/ee/ci/ssh_keys/ + - eval $(ssh-agent -s) + - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - + - mkdir -p /root/.ssh + - chmod 700 /root/.ssh + - echo "$SSH_KNOWN_HOSTS" >> /root/.ssh/known_hosts + - chmod 644 /root/.ssh/known_hosts + +deploy: + script: + # TODO: build image with dependencies installed + - ansible-galaxy collection install ansible.netcommon + - pip3 install netaddr + - ansible-playbook -i config/hosts config/deploy.yml diff --git a/deploy.yml b/deploy.yml new file mode 100644 index 0000000..f25767c --- /dev/null +++ b/deploy.yml @@ -0,0 +1,4 @@ +--- +- hosts: all + roles: + - knot diff --git a/group_vars/all b/group_vars/all new file mode 100644 index 0000000..5f5a5ce --- /dev/null +++ b/group_vars/all @@ -0,0 +1,4 @@ +--- +catalog_zones: + - "dns-witch-catalog" +key_name: dnswitch diff --git a/hosts b/hosts new file mode 100644 index 0000000..a178558 --- /dev/null +++ b/hosts @@ -0,0 +1,5 @@ +[primary] +dev-ns1.vm ansible_user=roger + +[secondary] +dev-ns2.vm ansible_user=roger diff --git a/roles/knot/handlers/main.yml b/roles/knot/handlers/main.yml new file mode 100644 index 0000000..0418a36 --- /dev/null +++ b/roles/knot/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload knot + become: yes + command: + cmd: knotc reload diff --git a/roles/knot/tasks/main.yml b/roles/knot/tasks/main.yml new file mode 100644 index 0000000..e07d3bd --- /dev/null +++ b/roles/knot/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Install knot + become: yes + apt: + update_cache: yes + pkg: + - knot + - knot-dnsutils + +- name: Start knot + become: yes + service: + name: knot + state: started + enabled: yes + +- name: Generate tsig + become: yes + become_user: knot + ansible.builtin.shell: keymgr -t {{ key_name }} > /etc/knot/{{ key_name }}.key + args: + creates: /etc/knot/{{ key_name }}.key + when: "inventory_hostname in groups.primary" + +- name: Fetch key + become: yes + become_user: knot + ansible.builtin.slurp: + src: /etc/knot/{{ key_name }}.key + register: tsig_key + when: "inventory_hostname in groups.primary" + +- name: Deploy conf + become: yes + become_user: knot + template: + src: knot.conf.j2 + dest: /etc/knot/knot.conf + notify: reload knot diff --git a/roles/knot/templates/knot.conf.j2 b/roles/knot/templates/knot.conf.j2 new file mode 100644 index 0000000..576ca3c --- /dev/null +++ b/roles/knot/templates/knot.conf.j2 @@ -0,0 +1,53 @@ +server: + rundir: "/run/knot" + user: knot:knot + listen: [ 0.0.0.0@53, ::@53 ] + +log: + - target: syslog + any: info + +{{ tsig_key.content | b64decode }} + +remote: +{% for host in groups.all %} + - id: {{ hostvars[host].ansible_hostname }} + address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ] + key: {{ key_name }} +{% endfor %} + +acl: +{% for host in groups.all %} + - id: {{ hostvars[host].ansible_hostname }} + address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ] + action: {% if host in groups.secondary %} transfer {% elif host in groups.primary %} notify {% endif %} + +{% endfor %} + +template: + - id: default + storage: "/var/lib/knot" + file: "zones/%s.zone" + +{% if inventory_hostname in groups.primary %} + zonefile-load: difference-no-serial + journal-content: all + dnssec-signing: on + dnssec-policy: default + notify: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] + acl: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] +{% endif %} + +{% if inventory_hostname in groups.secondary %} + master: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] + acl: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] +{% endif %} + +zone: +{% for zone in catalog_zones %} + - domain: dns-witch-catalog + file: "catalog-zones/%s.zone" + catalog-role: interpret + catalog-template: "default" + dnssec-signing: off +{% endfor %}