update configs

2025-01-16 13:37:02 +01:00 · 2025-01-16 13:37:02 +01:00 · 73f076721d
commit 73f076721d
parent b3383c95bd
5 changed files with 50 additions and 45 deletions
--- a/10_base_server_setup.yaml
+++ b/10_base_server_setup.yaml
@ -30,10 +30,16 @@
          - "git"
          - "tcpdump"
          - "dnsutils"
-          - "ufw"
          - "iputils-ping"
          - "ripgrep"

+    - name: "Install ufw"
+      ansible.builtin.apt:
+        state: present
+        name:
+          - "ufw"
+      when: ufw_status == "enabled"
+
    - name: "Make sure ntpd is not installed"
      ansible.builtin.apt:
        state: absent
@ -64,7 +70,9 @@
        rule: allow
        to_port: "{{ ssh_port }}"
        protocol: tcp
+      when: ufw_status == "enabled"

    - name: "Enable ufw"
      community.general.ufw:
        state: enabled
+      when: ufw_status == "enabled"
--- a/20_powerdns_setup.yaml
+++ b/20_powerdns_setup.yaml
@ -10,7 +10,10 @@
    pdns_sqlite_databases_locations:
      - "{{ database_name }}"
    pdns_config:
-      allow-axfr-ips: "192.168.2.143"
+      allow-axfr-ips: "{{ axfr_ips }}"
+      server-id: "ns1.m4n5.nl"
+      default-soa-content: "ns1.m4n5.nl. hostmaster.m4n5.nl. 1 3600 600 604800 1800"
+      version-string: "anonymous"
      primary: true
    pdns_auth_powerdns_repo_49:
      apt_repo_origin: "repo.powerdns.com"
@ -29,41 +32,11 @@
        rule: allow
        to_port: "53"
        protocol: udp
+      when: ufw_status == "enabled"

    - name: "Add AXFR/IXFR allow rule in ufw"
      community.general.ufw:
        rule: allow
        to_port: "53"
        protocol: tcp
-
-# - name: "PowerDNS setup"
-#   hosts: slave_nameservers
-#   become: true
-#   vars:
-#     database_name: "/var/lib/powerdns/db.sqlite"
-#     pdns_backends:
-#       gsqlite3:
-#         database: "{{ database_name }}"
-#     pdns_sqlite_databases_locations:
-#       - "{{ database_name }}"
-#     pdns_config:
-#       allow-axfr-ips: "192.168.2.143"
-#       primary: false
-#       secondary: true
-#     pdns_auth_powerdns_repo_49:
-#       apt_repo_origin: "repo.powerdns.com"
-#       apt_repo: "deb http://repo.powerdns.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release | lower }}-auth-49 main"
-#       gpg_key: "http://repo.powerdns.com/FD380FBB-pub.asc"
-#       gpg_key_id: "9FAAA5577E8FCF62093D036C1B0C6205FD380FBB"
-#       yum_repo_baseurl: "http://repo.powerdns.com/centos/$basearch/$releasever/auth-49"
-#       yum_debug_symbols_repo_baseurl: "http://repo.powerdns.com/centos/$basearch/$releasever/auth-49/debug"
-#       name: "powerdns-auth-49"
-#   roles:
-#     - { role: PowerDNS.pdns,
-#         pdns_install_repo: "{{ pdns_auth_powerdns_repo_49 }}" }
-#   tasks:
-#     - name: "Add DNS allow rule in ufw"
-#       community.general.ufw:
-#         rule: allow
-#         to_port: "53"
-#         protocol: udp
+      when: ufw_status == "enabled"
--- a/30_knot_slave_setup.yaml
+++ b/30_knot_slave_setup.yaml
@ -3,10 +3,10 @@
  hosts: slave_nameservers
  become: true
  vars:
-    identity: "ns2.ziesel.internal"
-    nsid: "ns2"
-    master_ip_acl: "192.168.2.19"
-    version: "Mans's DNS"
+    identity: "{{ dns_nsid }}.m4n5.nl"
+    nsid: "{{ dns_nsid }}"
+    master_ip_acl: "86.94.191.237, 2a02:a442:ba11::1ebd, 2a02:a442:ba11::53"
+    version: "off"
    knot_user: knot
    knot_group: knot
    catalog_domain: "catalog.internal."
@ -52,9 +52,11 @@
        rule: allow
        to_port: "53"
        protocol: udp
+      when: ufw_status == "enabled"

    - name: "Add AXFR/IXFR allow rule in ufw"
      community.general.ufw:
        rule: allow
        to_port: "53"
        protocol: tcp
+      when: ufw_status == "enabled"
--- a/inventory.yaml
+++ b/inventory.yaml
@ -1,23 +1,45 @@
 all:
  hosts:
-    pi5:
+    pi5.internal.mziesel.nl:
      ansible_host: 192.168.2.19
      ansible_user: ansible
-      ansible_ssh_port: 2222
      ansible_ssh_private_key_file: ~/.ssh/ansible_id_ed25519
      ansible_python_interpreter: /usr/bin/python3
+      ansible_ssh_port: 2222
      ssh_port: 2222
-    knot-dns-test:
-      ansible_host: 192.168.2.143
+      ufw_status: enabled
+      dns_nsid: ns1
+    srv01.nur.mziesel.nl:
+      ansible_user: ansible
+      ansible_python_interpreter: /usr/bin/python3
+      ansible_ssh_private_key_file: ~/.ssh/ansible_id_ed25519
+      ufw_status: disabled
+      ssh_port: 22
+      dns_nsid: ns2
+    srv03.oci.mziesel.nl:
      ansible_user: ansible
      ansible_ssh_private_key_file: ~/.ssh/ansible_id_ed25519
      ansible_python_interpreter: /usr/bin/python3
+      ufw_status: disabled
      ssh_port: 22
+      dns_nsid: ns3
+    # auth-dns-slave.internal.mziesel.nl:
+    #   ansible_host: 192.168.2.143
+    #   ansible_user: ansible
+    #   ansible_python_interpreter: /usr/bin/python3
+    #   ufw_status: enabled
+    #   ssh_port: 22
+    #   dns_nsid: ns4
+  vars:
+    # nur01, oci03, internal-test
+    axfr_ips: "85.235.66.180, 2a03:4000:32:1ae:889d:dbff:fea1:9df7, 143.47.189.110, 2603:c022:c001:c601:7b56:9459:93ba:11b6"

  children:
    master_nameservers:
      hosts:
-        pi5:
+        pi5.internal.mziesel.nl:
    slave_nameservers:
      hosts:
-        knot-dns-test:
+        srv01.nur.mziesel.nl:
+        srv03.oci.mziesel.nl:
+        # auth-dns-slave.internal.mziesel.nl:
--- a/templates/knot.conf.j2
+++ b/templates/knot.conf.j2
@ -1,6 +1,6 @@
 server:
    identity: {{ identity }}
-    version: "{{ version }}"
+    version: off
    nsid: {{ nsid }}
    rundir: "/run/knot"
    user: {{ knot_user }}:{{ knot_group }}