working master slave with catalog zone, pdns master, knot slave
This commit is contained in:
parent
8283356a76
commit
b3383c95bd
70
10_base_server_setup.yaml
Normal file
70
10_base_server_setup.yaml
Normal file
@ -0,0 +1,70 @@
|
||||
---
|
||||
- name: "Basic debian bookworm server setup"
|
||||
hosts: all
|
||||
become: true
|
||||
|
||||
tasks:
|
||||
- name: "Update Apt cache"
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
cache_valid_time: 3600 # 1 Hour
|
||||
|
||||
- name: "Update everything"
|
||||
ansible.builtin.apt:
|
||||
name: "*"
|
||||
state: latest
|
||||
|
||||
- name: "Install basic applications"
|
||||
ansible.builtin.apt:
|
||||
state: present
|
||||
name:
|
||||
- "apt-transport-https"
|
||||
- "ca-certificates"
|
||||
- "sysstat"
|
||||
- "htop"
|
||||
- "vim"
|
||||
- "tmux"
|
||||
- "net-tools"
|
||||
- "curl"
|
||||
- "wget"
|
||||
- "git"
|
||||
- "tcpdump"
|
||||
- "dnsutils"
|
||||
- "ufw"
|
||||
- "iputils-ping"
|
||||
- "ripgrep"
|
||||
|
||||
- name: "Make sure ntpd is not installed"
|
||||
ansible.builtin.apt:
|
||||
state: absent
|
||||
name:
|
||||
- ntp
|
||||
|
||||
- name: "Enable and start systemd-timesyncd"
|
||||
ansible.builtin.systemd:
|
||||
state: started
|
||||
enabled: true
|
||||
name: systemd-timesyncd
|
||||
|
||||
- name: "Ensure adminmz account is present"
|
||||
ansible.builtin.user:
|
||||
state: present
|
||||
name: adminmz
|
||||
groups:
|
||||
- "sudo"
|
||||
|
||||
- name: "Set adminmz ssh key"
|
||||
ansible.posix.authorized_key:
|
||||
user: adminmz
|
||||
state: present
|
||||
key: https://git.mziesel.nl/mans.keys
|
||||
|
||||
- name: "Add ssh allow rule in ufw"
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
to_port: "{{ ssh_port }}"
|
||||
protocol: tcp
|
||||
|
||||
- name: "Enable ufw"
|
||||
community.general.ufw:
|
||||
state: enabled
|
||||
69
20_powerdns_setup.yaml
Normal file
69
20_powerdns_setup.yaml
Normal file
@ -0,0 +1,69 @@
|
||||
---
|
||||
- name: "PowerDNS setup"
|
||||
hosts: master_nameservers
|
||||
become: true
|
||||
vars:
|
||||
database_name: "/var/lib/powerdns/db.sqlite"
|
||||
pdns_backends:
|
||||
gsqlite3:
|
||||
database: "{{ database_name }}"
|
||||
pdns_sqlite_databases_locations:
|
||||
- "{{ database_name }}"
|
||||
pdns_config:
|
||||
allow-axfr-ips: "192.168.2.143"
|
||||
primary: true
|
||||
pdns_auth_powerdns_repo_49:
|
||||
apt_repo_origin: "repo.powerdns.com"
|
||||
apt_repo: "deb http://repo.powerdns.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release | lower }}-auth-49 main"
|
||||
gpg_key: "http://repo.powerdns.com/FD380FBB-pub.asc"
|
||||
gpg_key_id: "9FAAA5577E8FCF62093D036C1B0C6205FD380FBB"
|
||||
yum_repo_baseurl: "http://repo.powerdns.com/centos/$basearch/$releasever/auth-49"
|
||||
yum_debug_symbols_repo_baseurl: "http://repo.powerdns.com/centos/$basearch/$releasever/auth-49/debug"
|
||||
name: "powerdns-auth-49"
|
||||
roles:
|
||||
- { role: PowerDNS.pdns,
|
||||
pdns_install_repo: "{{ pdns_auth_powerdns_repo_49 }}" }
|
||||
tasks:
|
||||
- name: "Add DNS allow rule in ufw"
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
to_port: "53"
|
||||
protocol: udp
|
||||
|
||||
- name: "Add AXFR/IXFR allow rule in ufw"
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
to_port: "53"
|
||||
protocol: tcp
|
||||
|
||||
# - name: "PowerDNS setup"
|
||||
# hosts: slave_nameservers
|
||||
# become: true
|
||||
# vars:
|
||||
# database_name: "/var/lib/powerdns/db.sqlite"
|
||||
# pdns_backends:
|
||||
# gsqlite3:
|
||||
# database: "{{ database_name }}"
|
||||
# pdns_sqlite_databases_locations:
|
||||
# - "{{ database_name }}"
|
||||
# pdns_config:
|
||||
# allow-axfr-ips: "192.168.2.143"
|
||||
# primary: false
|
||||
# secondary: true
|
||||
# pdns_auth_powerdns_repo_49:
|
||||
# apt_repo_origin: "repo.powerdns.com"
|
||||
# apt_repo: "deb http://repo.powerdns.com/{{ ansible_distribution | lower }} {{ ansible_distribution_release | lower }}-auth-49 main"
|
||||
# gpg_key: "http://repo.powerdns.com/FD380FBB-pub.asc"
|
||||
# gpg_key_id: "9FAAA5577E8FCF62093D036C1B0C6205FD380FBB"
|
||||
# yum_repo_baseurl: "http://repo.powerdns.com/centos/$basearch/$releasever/auth-49"
|
||||
# yum_debug_symbols_repo_baseurl: "http://repo.powerdns.com/centos/$basearch/$releasever/auth-49/debug"
|
||||
# name: "powerdns-auth-49"
|
||||
# roles:
|
||||
# - { role: PowerDNS.pdns,
|
||||
# pdns_install_repo: "{{ pdns_auth_powerdns_repo_49 }}" }
|
||||
# tasks:
|
||||
# - name: "Add DNS allow rule in ufw"
|
||||
# community.general.ufw:
|
||||
# rule: allow
|
||||
# to_port: "53"
|
||||
# protocol: udp
|
||||
60
30_knot_slave_setup.yaml
Normal file
60
30_knot_slave_setup.yaml
Normal file
@ -0,0 +1,60 @@
|
||||
---
|
||||
- name: "Basic knot slave setup"
|
||||
hosts: slave_nameservers
|
||||
become: true
|
||||
vars:
|
||||
identity: "ns2.ziesel.internal"
|
||||
nsid: "ns2"
|
||||
master_ip_acl: "192.168.2.19"
|
||||
version: "Mans's DNS"
|
||||
knot_user: knot
|
||||
knot_group: knot
|
||||
catalog_domain: "catalog.internal."
|
||||
|
||||
handlers:
|
||||
- name: "Reload knot service"
|
||||
ansible.builtin.service:
|
||||
name: "knot.service"
|
||||
state: reloaded
|
||||
|
||||
tasks:
|
||||
- name: "Add CZ.NIC Labs Packaging GPG key"
|
||||
ansible.builtin.get_url:
|
||||
url: "https://pkg.labs.nic.cz/gpg"
|
||||
dest: "/usr/share/keyrings/cznic-labs-pkg.gpg"
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: "Setup knot-dns repository"
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns {{ ansible_distribution_release }} main"
|
||||
filename: "cznic-labs-knot-dns.list"
|
||||
|
||||
- name: "Install knot"
|
||||
ansible.builtin.apt:
|
||||
state: present
|
||||
update_cache: true
|
||||
name:
|
||||
- "knot"
|
||||
|
||||
- name: "Create knot.conf"
|
||||
ansible.builtin.template:
|
||||
src: templates/knot.conf.j2
|
||||
dest: /etc/knot/knot.conf
|
||||
owner: root
|
||||
group: knot
|
||||
mode: "0644"
|
||||
notify: "Reload knot service"
|
||||
|
||||
- name: "Add DNS allow rule in ufw"
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
to_port: "53"
|
||||
protocol: udp
|
||||
|
||||
- name: "Add AXFR/IXFR allow rule in ufw"
|
||||
community.general.ufw:
|
||||
rule: allow
|
||||
to_port: "53"
|
||||
protocol: tcp
|
||||
23
inventory.yaml
Normal file
23
inventory.yaml
Normal file
@ -0,0 +1,23 @@
|
||||
all:
|
||||
hosts:
|
||||
pi5:
|
||||
ansible_host: 192.168.2.19
|
||||
ansible_user: ansible
|
||||
ansible_ssh_port: 2222
|
||||
ansible_ssh_private_key_file: ~/.ssh/ansible_id_ed25519
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
ssh_port: 2222
|
||||
knot-dns-test:
|
||||
ansible_host: 192.168.2.143
|
||||
ansible_user: ansible
|
||||
ansible_ssh_private_key_file: ~/.ssh/ansible_id_ed25519
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
ssh_port: 22
|
||||
|
||||
children:
|
||||
master_nameservers:
|
||||
hosts:
|
||||
pi5:
|
||||
slave_nameservers:
|
||||
hosts:
|
||||
knot-dns-test:
|
||||
36
templates/knot.conf.j2
Normal file
36
templates/knot.conf.j2
Normal file
@ -0,0 +1,36 @@
|
||||
server:
|
||||
identity: {{ identity }}
|
||||
version: "{{ version }}"
|
||||
nsid: {{ nsid }}
|
||||
rundir: "/run/knot"
|
||||
user: {{ knot_user }}:{{ knot_group }}
|
||||
automatic-acl: on
|
||||
listen: [ 0.0.0.0@53, ::@53 ]
|
||||
|
||||
log:
|
||||
- target: syslog
|
||||
any: info
|
||||
|
||||
database:
|
||||
storage: "/var/lib/knot"
|
||||
|
||||
acl:
|
||||
- id: notify_from_primary
|
||||
address: [ {{ master_ip_acl }} ]
|
||||
action: notify
|
||||
|
||||
remote:
|
||||
- id: primary
|
||||
address: [ {{ master_ip_acl }} ]
|
||||
|
||||
template:
|
||||
- id: secondary_zones
|
||||
master: primary
|
||||
acl: notify_from_primary
|
||||
|
||||
zone:
|
||||
- domain: {{ catalog_domain }}
|
||||
master: primary
|
||||
acl: notify_from_primary
|
||||
catalog-role: interpret
|
||||
catalog-template: secondary_zones
|
||||
Loading…
x
Reference in New Issue
Block a user