diff --git a/firewall.yml b/firewall.yml index e398cad..24c9ae1 100644 --- a/firewall.yml +++ b/firewall.yml @@ -1,7 +1,7 @@ --- - name: Retrieve network info - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-HP-EliteBook-820-G2.home.arpa + hosts: all:!disabled_server_conf:!machinbox.mateu.be gather_facts: true gather_subset: - network diff --git a/group_vars/nsdservers.yml b/group_vars/nsdservers.yml new file mode 100644 index 0000000..cc7cdb5 --- /dev/null +++ b/group_vars/nsdservers.yml @@ -0,0 +1,24 @@ +--- + +zones: + - name: giteu.be + parking: true + - name: libertus.eu + - name: mateu.be + - name: monder.ch + parking: true + - name: nintendojo.fr + - name: nintendojofr.com + parking: true + - name: nupes.social + parking: true + - name: pipoworld.fr + +tsig_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 34333338336531313232313563373263613731636432653236646333376137646563316565613634 + 6665663431626165343534633336633635333337623135610a393664343735323733393063366362 + 35343766636266316263343733373937626436626264636434363138643765656436643231353963 + 3966363066353538300a666139663039323163306430373335663332366230313463623462373633 + 66373062316665346665376539316331633635626336303037643165626462383638333261363036 + 3535326630636437316638383663356136363566653865316239 diff --git a/nsd.yml b/nsd.yml new file mode 100644 index 0000000..9829147 --- /dev/null +++ b/nsd.yml @@ -0,0 +1,7 @@ +--- + +- name: Deploy NSD + hosts: nsdservers + diff: true + roles: + - nsd diff --git a/production.yml b/production.yml index 4b906dc..5370041 100644 --- a/production.yml +++ b/production.yml @@ -75,6 +75,13 @@ resticservers: restic_backup_hour: 6 restic_backup_minute: 45 +nsdservers: + hosts: + nsd-master1.ext.mateu.be: + master: true + dns1.dmz.mateu.be: + natted_ipv4: 82.66.135.228 + garageservers: children: garage_prd_cluster: @@ -235,6 +242,7 @@ disabled_munin: muse-HP-EliteBook-820-G2.home.arpa: pinkypie.home.arpa: frederica.dmz.mateu.be: + nsd-master1.ext.mateu.be: disabled_syslog: hosts: @@ -243,6 +251,14 @@ disabled_syslog: muse-HP-EliteBook-820-G2.home.arpa: pinkypie.home.arpa: frederica.dmz.mateu.be: + nsd-master1.ext.mateu.be: + +# Those are not servers and should not be configured as such +disabled_server_conf: + hosts: + baybay-ponay.mateu.be: + muse-HP-EliteBook-820-G2.home.arpa: + pinkypie.home.arpa: ftpservers: hosts: diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2 index ced4876..3787b0d 100644 --- a/roles/firewall/templates/firewall.j2 +++ b/roles/firewall/templates/firewall.j2 @@ -339,6 +339,53 @@ config redirect option dest_port '64738' option target 'DNAT' +# Allow DNS traffic +config rule + option name 'Allow-INPUT-DNS' + option src 'wan' + list proto 'tcp' + list proto 'udp' + option dest 'dmz' + option dest_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' + option dest_port '53' + option target 'ACCEPT' + option family 'ipv6' + +config redirect + option name 'Allow-INPUT-DNS' + option src 'wan' + option src_dport '53' + list proto 'tcp' + list proto 'udp' + option dest 'dmz' + option dest_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + option dest_port '53' + option target 'DNAT' + +config rule + option name 'Allow-OUTPUT-DNS' + option src 'dmz' + option src_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}' + list proto 'tcp' + list proto 'udp' + option dest 'wan' + option dest_port '53' + option dest_ip '{{ hostvars['nsd-master1.ext.mateu.be']['ansible_default_ipv4']['address'] }}' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-OUTPUT-DNS' + option src 'dmz' + option src_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}' + list proto 'tcp' + list proto 'udp' + option dest 'wan' + option dest_port '53' + option dest_ip '{{ hostvars['nsd-master1.ext.mateu.be']['ansible_default_ipv6']['address'] }}' + option target 'ACCEPT' + option family 'ipv6' + # Allow mail traffic config rule option name 'Allow-OUTPUT-SMTP' diff --git a/roles/nsd/defaults/main.yml b/roles/nsd/defaults/main.yml new file mode 100644 index 0000000..6bda0b1 --- /dev/null +++ b/roles/nsd/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +nsd_master: "{{ master | default(false) }}" diff --git a/roles/nsd/handlers/main.yml b/roles/nsd/handlers/main.yml new file mode 100644 index 0000000..30bbd62 --- /dev/null +++ b/roles/nsd/handlers/main.yml @@ -0,0 +1,11 @@ +--- + +- name: Restart nsd + ansible.builtin.service: + name: nsd + state: restarted + +- name: Restart systemd-resolved + ansible.builtin.service: + name: systemd-resolved + state: restarted diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml new file mode 100644 index 0000000..a815025 --- /dev/null +++ b/roles/nsd/tasks/main.yml @@ -0,0 +1,56 @@ +--- + +- name: Install & check prerequisites + ansible.builtin.include_tasks: prerequisites.yml + +- name: Create slave group + ansible.builtin.group_by: + key: slave_nsdservers + when: not nsd_master + +- name: Create master group + ansible.builtin.group_by: + key: master_nsdservers + when: nsd_master + +- name: Create zone dir + ansible.builtin.file: + path: "{{ nsd_default_etc_path }}zones" + owner: root + group: root + mode: "0755" + state: directory + +- name: Create nsd.conf + ansible.builtin.template: + src: nsd.conf.j2 + dest: "{{ nsd_default_etc_path }}nsd.conf" + owner: root + group: root + mode: "0640" + notify: + - Restart nsd + +- name: Create each zone in NSD + ansible.builtin.template: + src: zone.j2 + dest: "{{ nsd_default_etc_path }}nsd.conf.d/{{ item }}.conf" + owner: root + group: root + mode: "0644" + loop: "{{ zones }}" + notify: + - Restart nsd + +- name: Force zone reload + ansible.builtin.meta: flush_handlers + +- name: Create zone and reload + ansible.builtin.include_tasks: zones.yml + loop: "{{ zones }}" + when: nsd_master + +- name: Ensure nsd is started + ansible.builtin.service: + name: nsd + state: started diff --git a/roles/nsd/tasks/prerequisites.yml b/roles/nsd/tasks/prerequisites.yml new file mode 100644 index 0000000..925ffb2 --- /dev/null +++ b/roles/nsd/tasks/prerequisites.yml @@ -0,0 +1,28 @@ +--- + +- name: Gather facts on listening ports + community.general.listen_ports_facts: + +- name: Detect systemd-resolve + ansible.builtin.set_fact: + _systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}" + +- name: Deactivate DNS stublistener + ansible.builtin.lineinfile: + path: /etc/systemd/resolved.conf + regex: '^#DNSStubListener=yes' + line: DNSStubListener=no + when: _systemd_resolve_enable + notify: + - Restart systemd-resolved + +- name: Force restart for stub resolver + ansible.builtin.meta: flush_handlers + +- name: Install nsd & utilities + ansible.builtin.package: + name: + - nsd + - dnsutils + - ldnsutils + state: present diff --git a/roles/nsd/tasks/zones.yml b/roles/nsd/tasks/zones.yml new file mode 100644 index 0000000..43e2abe --- /dev/null +++ b/roles/nsd/tasks/zones.yml @@ -0,0 +1,28 @@ +--- + +- name: Create zone file + ansible.builtin.template: + src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}" + dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone" + owner: root + group: root + mode: "0644" + vars: + # This generates 99 different serial per day + dns_serial: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}{{ ((ansible_date_time.hour | int * 3600 + ansible_date_time.minute | int * 60 + ansible_date_time.second | int) * 99 / 86400) | int }}" + +- name: Force zone file modification time + ansible.builtin.file: + path: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone" + state: touch + mode: "0644" + +- name: Check zone file + ansible.builtin.command: + cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone" + changed_when: false + +- name: Reload zone + ansible.builtin.command: + cmd: "nsd-control reload {{ item.name }}" + changed_when: false diff --git a/roles/nsd/templates/nsd.conf.j2 b/roles/nsd/templates/nsd.conf.j2 new file mode 100644 index 0000000..265e07a --- /dev/null +++ b/roles/nsd/templates/nsd.conf.j2 @@ -0,0 +1,11 @@ +key: + name: "{{ nsd_tsig_key_name }}" + algorithm: hmac-sha256 + secret: "{{ tsig_key }}" + +server: + log-only-syslog: yes + hide-version: yes + zonesdir: "/etc/nsd/zones" + +include: "/etc/nsd/nsd.conf.d/*.conf" diff --git a/roles/nsd/templates/zone.j2 b/roles/nsd/templates/zone.j2 new file mode 100644 index 0000000..1da82d2 --- /dev/null +++ b/roles/nsd/templates/zone.j2 @@ -0,0 +1,23 @@ +{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%} +{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%} +{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%} +zone: + name: "{{ item.name }}" + zonefile: {{ item.name }}.zone + {% if nsd_master -%} + {% for server in other_server -%} + {% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%} + {% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%} + notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }} + provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }} + notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }} + provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }} + {% endfor -%} + {% else -%} + {% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%} + {% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%} + allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }} + request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }} + allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }} + request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }} + {% endif -%} diff --git a/roles/nsd/templates/zones/libertus.eu.zone.j2 b/roles/nsd/templates/zones/libertus.eu.zone.j2 new file mode 100644 index 0000000..7e05590 --- /dev/null +++ b/roles/nsd/templates/zones/libertus.eu.zone.j2 @@ -0,0 +1,42 @@ +$TTL 86400 +@ SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. ( + {{ dns_serial }}; serial number YYMMDDNN + 28800; Refresh + 7200; Retry + 864000; Expire + 86400; Min TTL + ) + +{% for server in groups['nsdservers'] %} + NS {{ server }}. +{% endfor %} + +$ORIGIN {{ item.name }}. +$TTL 7200 + IN MX 1 mail.dmz.mateu.be. + 600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all" + 600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all" + IN CAA 0 issue "letsencrypt.org" +_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s" +_dmarc.p IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s" +_jabber._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be. +_xmpp-client._tcp IN SRV 0 0 5222 jabber.dmz.mateu.be. +_xmpp-server._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be. +_xmppconnect IN TXT "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind" +altsrv IN CNAME ks3370405.kimsufi.com. +blog IN CNAME web1.dmz.mateu.be. +conference IN CNAME jabber.dmz.mateu.be. +dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB" +dkim._domainkey.p IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB" +fav IN CNAME web1.dmz.mateu.be. +imap IN CNAME mail.dmz.mateu.be. +mail IN CNAME web1.dmz.mateu.be. +o IN CNAME web1.dmz.mateu.be. +p IN MX 1 mail.dmz.mateu.be. +p 600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all" +p 600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all" +perso IN CNAME web1.dmz.mateu.be. +rss IN CNAME web1.dmz.mateu.be. +smtp IN CNAME mail.dmz.mateu.be. +upload IN CNAME jabber.dmz.mateu.be. +xmpp IN CNAME jabber.dmz.mateu.be. diff --git a/roles/nsd/templates/zones/mateu.be.zone.j2 b/roles/nsd/templates/zones/mateu.be.zone.j2 new file mode 100644 index 0000000..6c77f6d --- /dev/null +++ b/roles/nsd/templates/zones/mateu.be.zone.j2 @@ -0,0 +1,101 @@ +$TTL 86400 +@ SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. ( + {{ dns_serial }}; serial number YYMMDDNN + 28800; Refresh + 7200; Retry + 864000; Expire + 86400; Min TTL + ) + +{% for server in groups['nsdservers'] %} + NS {{ server }}. +{% endfor %} + +$ORIGIN {{ item.name }}. +$TTL 7200 +$TTL 3600 + IN MX 1 mail.dmz.mateu.be. + 600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all" + 600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all" + IN CAA 0 issue "letsencrypt.org" +*.garage IN CNAME garage +_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s" +altsrv IN CNAME ks3370405.kimsufi.com. +backup IN A 10.233.212.60 +baybay-ponay IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88 +bt IN CNAME bt.dmz.mateu.be. +bt.dmz IN A 82.66.135.228 +bt.dmz IN AAAA 2a01:e0a:9bd:2811::3 +btf IN CNAME bt.dmz +ciol IN A 109.190.68.133 +derdriu IN A 10.233.212.77 +dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB" +dns1.dmz IN A 82.66.135.228 +dns1.dmz IN AAAA 2a01:e0a:9bd:2811::16 +dom IN A 10.233.212.15 +dom.dmz IN A 82.66.135.228 +dom.dmz IN AAAA 2a01:e0a:9bd:2811::15 +emerandon.st IN CNAME altsrv +enbarr.dmz IN AAAA 2a01:e0a:9bd:2811::50 +es1.dmz IN AAAA 2a01:e0a:9bd:2811::21 +es1.dmz IN A 82.66.135.228 +evse IN A 10.233.211.198 +fc IN A 10.233.211.194 +frederica.dmz IN A 82.66.135.228 +frederica.dmz IN AAAA 2a01:e0a:9bd:2811::60 +ftp IN A 10.233.212.14 +ftp.dmz IN A 82.66.135.228 +ftp.dmz IN AAAA 2a01:e0a:9bd:2811::14 +garage IN CNAME garage1.dmz.mateu.be. +garage1.dmz IN A 82.66.135.228 +garage1.dmz IN AAAA 2a01:e0a:9bd:2811::11 +garreg-mach IN A 10.233.212.66 +haproxy.dmz IN A 82.66.135.228 +haproxy.dmz IN AAAA 2a01:e0a:9bd:2811::2 +imprimante IN A 10.233.212.94 +jabber.dmz IN A 82.66.135.228 +jabber.dmz IN AAAA 2a01:e0a:9bd:2811::10 +jackett IN CNAME bt.dmz.mateu.be. +libertus.eu._report._dmarc IN TXT "v=DMARC1;" +machinbox IN A 82.66.135.228 +machinbox IN AAAA 2a01:e0a:9bd:2810::1 +mail-relay IN A 37.187.5.75 +mail.dmz IN A 82.66.135.228 +mail.dmz IN AAAA 2a01:e0a:9bd:2811::4 +mailalt IN CNAME ks3370405.kimsufi.com. +masto1.dmz IN A 82.66.135.228 +masto1.dmz IN AAAA 2a01:e0a:9bd:2811::19 +munin IN CNAME munin.dmz +munin.dmz IN A 82.66.135.228 +munin.dmz IN AAAA 2a01:e0a:9bd:2811::12 +nfs IN A 10.233.212.60 +nintendojo.fr._report._dmarc IN TXT "v=DMARC1;" +nsd-master1.ext IN A 51.158.238.190 +nsd-master1.ext IN AAAA 2001:bc8:5090:5bb:dc00:ff:fe20:8869 +p.libertus.eu._report._dmarc IN TXT "v=DMARC1;" +pipoworld.fr._report._dmarc IN TXT "v=DMARC1;" +pt1.dmz IN A 82.66.135.228 +pt1.dmz IN AAAA 2a01:e0a:9bd:2811::20 +r IN CNAME web1.dmz +rb IN A 194.156.203.253 +rc IN A 10.233.211.195 +ror1.dmz IN A 82.66.135.228 +ror1.dmz IN AAAA 2a01:e0a:9bd:2811::18 +sachetpa.st IN CNAME altsrv +serenor.dmz IN AAAA 2a01:e0a:9bd:2811::59 +serenor.dmz IN A 82.66.135.228 +sonarr IN CNAME bt.dmz +syslog.dmz IN AAAA 2a01:e0a:9bd:2811::8 +unifi.dmz IN A 82.66.135.228 +unifi.dmz IN AAAA 2a01:e0a:9bd:2811::13 +veretcle.st IN CNAME altsrv +voice1.dmz IN A 82.66.135.228 +voice1.dmz IN AAAA 2a01:e0a:9bd:2811::7 +voice3.dmz IN A 82.66.135.228 +voice3.dmz IN AAAA 2a01:e0a:9bd:2811::9 +web1.dmz IN A 82.66.135.228 +web1.dmz IN AAAA 2a01:e0a:9bd:2811::5 +web2.dmz IN A 82.66.135.228 +web2.dmz IN AAAA 2a01:e0a:9bd:2811::6 +web3.dmz IN A 82.66.135.228 +web3.dmz IN AAAA 2a01:e0a:9bd:2811::17 diff --git a/roles/nsd/templates/zones/nintendojo.fr.zone.j2 b/roles/nsd/templates/zones/nintendojo.fr.zone.j2 new file mode 100644 index 0000000..f9be331 --- /dev/null +++ b/roles/nsd/templates/zones/nintendojo.fr.zone.j2 @@ -0,0 +1,38 @@ +$TTL 86400 +@ SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. ( + {{ dns_serial }}; serial number YYMMDDNN + 28800; Refresh + 7200; Retry + 864000; Expire + 86400; Min TTL + ) + +{% for server in groups['nsdservers'] %} + NS {{ server }}. +{% endfor %} + +$ORIGIN {{ item.name }}. +$TTL 7200 +$TTL 3600 + IN MX 1 mail.dmz.mateu.be. + IN A 82.66.135.228 + IN AAAA 2a01:e0a:9bd:2811::6 + 600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all" + 600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all" + 600 IN TXT "google-site-verification=rIe1fnrQnv-E1H8qsMtEIhM4XYUqCELshWH9pHkwPBI" + IN CAA 0 issue "letsencrypt.org" +_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s" +analyse IN CNAME web2.dmz.mateu.be. +dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB" +forum IN CNAME web2.dmz.mateu.be. +m IN CNAME masto1.dmz.mateu.be. +medias.m IN CNAME mastodon-ndfr.garage.mateu.be. +mm IN CNAME mail.dmz.mateu.be. +mumble IN CNAME voice1.dmz.mateu.be. +original.p IN CNAME peertube-original-ndfr.garage.mateu.be. +p IN CNAME pt1.dmz.mateu.be. +perso IN CNAME web1.dmz.mateu.be. +playlists.p IN CNAME peertube-videos-ndfr.garage.mateu.be. +radio IN CNAME voice3.dmz.mateu.be. +videos.p IN CNAME peertube-playlists-ndfr.garage.mateu.be. +www IN CNAME web2.dmz.mateu.be. diff --git a/roles/nsd/templates/zones/parking.zone.j2 b/roles/nsd/templates/zones/parking.zone.j2 new file mode 100644 index 0000000..5e34690 --- /dev/null +++ b/roles/nsd/templates/zones/parking.zone.j2 @@ -0,0 +1,19 @@ +$TTL 86400 +@ SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. ( + {{ dns_serial }}; serial number YYMMDDNN + 28800; Refresh + 7200; Retry + 864000; Expire + 86400; Min TTL + ) + +{% for server in groups['nsdservers'] %} + NS {{ server }}. +{% endfor %} + +$ORIGIN {{ item.name }}. +$TTL 7200 +@ CAA 0 issue ";" +@ TXT "v=spf1 -all" +@ TXT "spf2.0/mfrom -all" +_dmarc TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;" diff --git a/roles/nsd/templates/zones/pipoworld.fr.zone.j2 b/roles/nsd/templates/zones/pipoworld.fr.zone.j2 new file mode 100644 index 0000000..566a024 --- /dev/null +++ b/roles/nsd/templates/zones/pipoworld.fr.zone.j2 @@ -0,0 +1,22 @@ +$TTL 86400 +@ SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. ( + {{ dns_serial }}; serial number YYMMDDNN + 28800; Refresh + 7200; Retry + 864000; Expire + 86400; Min TTL + ) + +{% for server in groups['nsdservers'] %} + NS {{ server }}. +{% endfor %} + +$ORIGIN {{ item.name }}. +$TTL 7200 + IN MX 1 mail.dmz.mateu.be. + 600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all" + 600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all" + IN CAA 0 issue "letsencrypt.org" +_dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s" +dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB" +mm IN CNAME mail.dmz.mateu.be. diff --git a/roles/nsd/vars/main.yml b/roles/nsd/vars/main.yml new file mode 100644 index 0000000..911e4aa --- /dev/null +++ b/roles/nsd/vars/main.yml @@ -0,0 +1,4 @@ +--- + +nsd_default_etc_path: "/etc/nsd/" +nsd_tsig_key_name: "tsig0" diff --git a/site.yml b/site.yml index 36047f4..58d8fcc 100644 --- a/site.yml +++ b/site.yml @@ -4,6 +4,8 @@ import_playbook: system.yml - name: Run usb playbook import_playbook: usb.yml +- name: Run nsd playbook + import_playbook: nsd.yml - name: Run smtprelay playbook import_playbook: smtprelay.yml - name: Run restic playbook diff --git a/smtprelay.yml b/smtprelay.yml index df0448f..f8b6cdc 100644 --- a/smtprelay.yml +++ b/smtprelay.yml @@ -1,7 +1,7 @@ --- - name: Deploy smtp relay - hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!mail.dmz.mateu.be:!muse-HP-EliteBook-820-G2.home.arpa:!frederica.dmz.mateu.be + hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be:!frederica.dmz.mateu.be diff: true roles: - smtprelay