dns-witch/config-nameservers
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

init config

Browse source
This commit is contained in:
Hannaeko 2021-07-30 11:15:36 +02:00
commit 44f08c1860
7 changed files with 127 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
.gitlab-ci.yml Normal file
View file

@ -0,0 +1,17 @@
image: ansible/ansible-runner
before_script:
# from https://docs.gitlab.com/ee/ci/ssh_keys/
- eval $(ssh-agent -s)
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- mkdir -p /root/.ssh
- chmod 700 /root/.ssh
- echo "$SSH_KNOWN_HOSTS" >> /root/.ssh/known_hosts
- chmod 644 /root/.ssh/known_hosts
deploy:
script:
# TODO: build image with dependencies installed
- ansible-galaxy collection install ansible.netcommon
- pip3 install netaddr
- ansible-playbook -i config/hosts config/deploy.yml

4
deploy.yml Normal file
View file

@ -0,0 +1,4 @@
---
- hosts: all
roles:
- knot

4
group_vars/all Normal file
View file

@ -0,0 +1,4 @@
---
catalog_zones:
- "dns-witch-catalog"
key_name: dnswitch

5
hosts Normal file
View file

@ -0,0 +1,5 @@
[primary]
dev-ns1.vm ansible_user=roger
[secondary]
dev-ns2.vm ansible_user=roger

5
roles/knot/handlers/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
- name: reload knot
become: yes
command:
cmd: knotc reload

39
roles/knot/tasks/main.yml Normal file
View file

@ -0,0 +1,39 @@
---
- name: Install knot
become: yes
apt:
update_cache: yes
pkg:
- knot
- knot-dnsutils
- name: Start knot
become: yes
service:
name: knot
state: started
enabled: yes
- name: Generate tsig
become: yes
become_user: knot
ansible.builtin.shell: keymgr -t {{ key_name }} > /etc/knot/{{ key_name }}.key
args:
creates: /etc/knot/{{ key_name }}.key
when: "inventory_hostname in groups.primary"
- name: Fetch key
become: yes
become_user: knot
ansible.builtin.slurp:
src: /etc/knot/{{ key_name }}.key
register: tsig_key
when: "inventory_hostname in groups.primary"
- name: Deploy conf
become: yes
become_user: knot
template:
src: knot.conf.j2
dest: /etc/knot/knot.conf
notify: reload knot

53
roles/knot/templates/knot.conf.j2 Normal file
View file

@ -0,0 +1,53 @@
server:
rundir: "/run/knot"
user: knot:knot
listen: [ 0.0.0.0@53, ::@53 ]
log:
- target: syslog
any: info
{{ tsig_key.content | b64decode }}
remote:
{% for host in groups.all %}
- id: {{ hostvars[host].ansible_hostname }}
address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ]
key: {{ key_name }}
{% endfor %}
acl:
{% for host in groups.all %}
- id: {{ hostvars[host].ansible_hostname }}
address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ]
action: {% if host in groups.secondary %} transfer {% elif host in groups.primary %} notify {% endif %}
{% endfor %}
template:
- id: default
storage: "/var/lib/knot"
file: "zones/%s.zone"
{% if inventory_hostname in groups.primary %}
zonefile-load: difference-no-serial
journal-content: all
dnssec-signing: on
dnssec-policy: default
notify: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
acl: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
{% endif %}
{% if inventory_hostname in groups.secondary %}
master: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
acl: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ]
{% endif %}
zone:
{% for zone in catalog_zones %}
- domain: dns-witch-catalog
file: "catalog-zones/%s.zone"
catalog-role: interpret
catalog-template: "default"
dnssec-signing: off
{% endfor %}