diff --git a/README.md b/README.md index 11defb0..95dba12 100644 --- a/README.md +++ b/README.md @@ -2,3 +2,7 @@ A DNS zone management service to make accessible the [.eu.org](https://nic.eu.org) domain names to everyone. +# Deployment + +Deploy the configuration using `ansible-playbook -i config/host config/deploy.yml` + diff --git a/config/deploy.yml b/config/deploy.yml new file mode 100644 index 0000000..8359ca5 --- /dev/null +++ b/config/deploy.yml @@ -0,0 +1,5 @@ +--- +- hosts: all + roles: + - common + - knot diff --git a/config/group_vars/all b/config/group_vars/all new file mode 100644 index 0000000..3e202d7 --- /dev/null +++ b/config/group_vars/all @@ -0,0 +1,3 @@ +--- +zones_dir: "{{ lookup('env', 'ZONE_DIR') | default('../zones', True) }}" +zones: "{{ lookup('fileglob', zones_dir + '/*.zone', wantlist=True)}}" diff --git a/config/hosts b/config/hosts new file mode 100644 index 0000000..ffbd67c --- /dev/null +++ b/config/hosts @@ -0,0 +1,5 @@ +[primary] +163.172.129.205 ansible_user=root + +[secondary] +51.158.108.60 ansible_user=root diff --git a/config/roles/common/tasks/main.yml b/config/roles/common/tasks/main.yml new file mode 100644 index 0000000..82969de --- /dev/null +++ b/config/roles/common/tasks/main.yml @@ -0,0 +1,5 @@ +--- +- name: Install common packages + apt: + pkg: + - git diff --git a/config/roles/knot/handlers/main.yml b/config/roles/knot/handlers/main.yml new file mode 100644 index 0000000..7458d5c --- /dev/null +++ b/config/roles/knot/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reload knot + ansible.builtin.command: + cmd: knotc reload diff --git a/config/roles/knot/tasks/main.yml b/config/roles/knot/tasks/main.yml new file mode 100644 index 0000000..772fd8b --- /dev/null +++ b/config/roles/knot/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Install knot + apt: + pkg: + - knot + - knot-dnsutils + +- name: Update zones + ansible.builtin.copy: + src: '{{ zones_dir }}' + dest: /var/lib/knot/zones + owner: knot + group: knot + mode: '0644' + notify: reload knot + +- name: + template: + src: knot.conf.j2 + dest: /etc/knot/knot.conf + notify: reload knot + +- name: Start knot + service: + name: knot + state: started + enabled: yes diff --git a/config/roles/knot/templates/knot.conf.j2 b/config/roles/knot/templates/knot.conf.j2 new file mode 100644 index 0000000..b877fd8 --- /dev/null +++ b/config/roles/knot/templates/knot.conf.j2 @@ -0,0 +1,45 @@ +server: + rundir: "/run/knot" + user: knot:knot + listen: [ 0.0.0.0@53, ::@53 ] + +log: + - target: syslog + any: info + +remote: +{% for host in groups.all %} + - id: {{ hostvars[host].ansible_hostname }} + address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ] +{% endfor %} + +acl: +{% for host in groups.all %} + - id: {{ hostvars[host].ansible_hostname }} + address: [ {{ ( hostvars[host].ansible_all_ipv4_addresses + hostvars[host].ansible_all_ipv6_addresses ) | ansible.netcommon.ipaddr('public') | join(', ') }} ] + action: {% if host in groups.secondary %} transfer {% elif host in groups.primary %} notify {% endif %} + +{% endfor %} + +template: + - id: default + storage: "/var/lib/knot" + file: "zones/%s.zone" + +{% if inventory_hostname in groups.primary %} + zonefile-load: difference-no-serial + dnssec-signing: on + dnssec-policy: default + notify: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] + acl: [ {{ groups.secondary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] +{% endif %} + +{% if inventory_hostname in groups.secondary %} + master: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] + acl: [ {{ groups.primary | map('extract', hostvars) | map(attribute='ansible_hostname') | join(', ') }} ] +{% endif %} + +zone: +{% for zone in zones %} + - domain: {{ zone | basename | splitext | first }} +{% endfor %} diff --git a/knot.conf b/knot.conf deleted file mode 100644 index a78d1b2..0000000 --- a/knot.conf +++ /dev/null @@ -1,85 +0,0 @@ -# This is a sample of a minimal configuration file for Knot DNS. -# See knot.conf(5) or refer to the server documentation. - -server: - rundir: "/run/knot" - user: knot:knot - listen: [ 0.0.0.0@53, ::@53 ] - -log: - - target: syslog - any: info - -remote: -# - id: slave -# address: 192.168.1.1@53 -# -# - id: master -# address: 192.168.2.1@53 - - - id: secpb - address: [78.194.169.74, 2a01:e34:ec2a:94a0::4] - -acl: -# - id: acl_slave -# address: 192.168.1.1 -# action: transfer -# -# - id: acl_master -# address: 192.168.2.1 -# action: notify - - - id: secpb_acl - address: [78.194.169.74, 2a01:e34:ec2a:94a0::4] - action: transfer - -template: - - id: default - storage: "/var/lib/knot" - file: "%s.zone" - zonefile-load: difference-no-serial - dnssec-signing: on - dnssec-policy: default - notify: secpb - acl: secpb_acl - -zone: -# # Master zone -# - domain: example.com -# notify: slave -# acl: acl_slave - - domain: dns-witch.net.eu.org - - - domain: contesludiques.eu.org - - - domain: sumomo.net.eu.org - - - domain: jeuviodeo.fr.eu.org - - - domain: monkeygames.fr.eu.org - - - domain: blog.wehost.lgbt - - - domain: grimoire.eu.org - - - domain: snug.eu.org - - - domain: wicce.eu.org - - - domain: stryges.fr.eu.org - - - domain: familier.net.eu.org - - - domain: dns-witch.eu.org - - - domain: blackconstruct.eu.org - - - domain: soundsmag.eu.org - - - domain: mutu.fr.eu.org - - - domain: saimyx.eu.org -# # Slave zone -# - domain: example.net -# master: master -# acl: acl_master