mans/as205079-automation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
as205079-automation/ansible/nameservers.yaml

86 lines
3.2 KiB
YAML
Raw Permalink Blame History

- name: "Nameserver setup"
hosts: nameservers
vars_files:
- ./config/{{ inventory_hostname }}.yaml
- ./config/common.yaml
become: true
roles:
- base
- anycast-dns
- name: "PowerDNS master setup"
hosts: ns-masters
become: true
vars_files:
- ./config/{{ inventory_hostname }}.yaml
- ./config/common.yaml
vars:
database_name: "/var/lib/powerdns/db.sqlite"
pdns_backends:
gsqlite3:
database: "{{ database_name }}"
dnssec: true
pdns_sqlite_databases_locations:
- "{{ database_name }}"
pdns_config:
allow-axfr-ips: "{{ axfr_ips }}"
default-soa-content: "ns.as205079.net. hostmaster.as205079.net. 1 3600 600 604800 1800"
version-string: "anonymous"
primary: "yes"
webserver: "yes"
expand-alias: "yes" # Allows CNAME like behavior on apex
resolver: "2606:4700:4700::1111,2606:4700:4700::1001" # Required for expand-alias
# required for nsedit
api: "yes"
api-key: "SomeRandomString" # TODO: change / ansible vault
webserver-address: "{{ ipv6 }}"
webserver-allow-from: "::1, {{ ipv6 }}, {{ lego_host_ipv6 }}, {{ nsedit_host_ipv6 }}"
# required for anycast
## Listen on both anycast and unique IP addresses
local-address: "{% if pdns_anycast_member | default(true) %}{{ anycast_dns_ipv6 }}, {{ anycast_dns_secondary_ipv6 }}, {% endif %}{{ ipv6 }}, 0.0.0.0"
## Use unique IP for outgoing notifications
query-local-address: "{{ ipv6 }}"
# Send notifications to secondary's unique IPs
also-notify: "{{ axfr_ips }}"
# DNSSEC related settings
# https://www.sidn.nl/en/modern-internet-standards/dnssec-on-the-powerdns-authoritative-server
entropy-source: "/dev/random"
roles:
# - { role: PowerDNS.pdns, pdns_install_repo: "{{ pdns_auth_powerdns_repo_50 }}" }
- { role: PowerDNS.pdns }
- name: "PowerDNS slave setup"
hosts: ns-slaves
become: true
vars_files:
- ./config/{{ inventory_hostname }}.yaml
- ./config/common.yaml
vars:
database_name: "/var/lib/powerdns/db.sqlite"
pdns_backends:
gsqlite3:
database: "{{ database_name }}"
dnssec: true
pdns_sqlite_databases_locations:
- "{{ database_name }}"
pdns_config:
version-string: "anonymous"
secondary: "yes"
autosecondary: "yes"
allow-notify-from: "{{ primary_ip }}"
allow-dnsupdate-from: "{{ primary_ip }}"
xfr-cycle-interval: "60"
expand-alias: "yes" # Allows CNAME like behavior on apex
resolver: "2606:4700:4700::1111,2606:4700:4700::1001" # Required for expand-alias
# required for anycast
## Listen on both anycast and unique IP addresses
local-address: "{% if pdns_anycast_member | default(true) %}{{ anycast_dns_ipv6 }}, {{ anycast_dns_secondary_ipv6 }}, {% endif %}{{ ipv6 }}, 0.0.0.0"
## Use unique IP for outgoing notifications
query-local-address: "{{ ipv6 }}"
# DNSSEC related settings
# https://www.sidn.nl/en/modern-internet-standards/dnssec-on-the-powerdns-authoritative-server
entropy-source: "/dev/random"
roles:
# - { role: PowerDNS.pdns, pdns_install_repo: "{{ pdns_auth_powerdns_repo_50 }}" }
- { role: PowerDNS.pdns }
Reference in New Issue View Git Blame Copy Permalink