✨: add nsd role

2024-07-05 11:53:53 +02:00
parent 192bf6dfcd
commit 5217036f14
20 changed files with 484 additions and 2 deletions
--- a/roles/nsd/defaults/main.yml
+++ b/roles/nsd/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+nsd_master: "{{ master | default(false) }}"
--- a/roles/nsd/handlers/main.yml
+++ b/roles/nsd/handlers/main.yml
@@ -0,0 +1,11 @@
+---
+
+- name: Restart nsd
+  ansible.builtin.service:
+    name: nsd
+    state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted
--- a/roles/nsd/tasks/main.yml
+++ b/roles/nsd/tasks/main.yml
@@ -0,0 +1,56 @@
+---
+
+- name: Install & check prerequisites
+  ansible.builtin.include_tasks: prerequisites.yml
+
+- name: Create slave group
+  ansible.builtin.group_by:
+    key: slave_nsdservers
+  when: not nsd_master
+
+- name: Create master group
+  ansible.builtin.group_by:
+    key: master_nsdservers
+  when: nsd_master
+
+- name: Create zone dir
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}zones"
+    owner: root
+    group: root
+    mode: "0755"
+    state: directory
+
+- name: Create nsd.conf
+  ansible.builtin.template:
+    src: nsd.conf.j2
+    dest: "{{ nsd_default_etc_path }}nsd.conf"
+    owner: root
+    group: root
+    mode: "0640"
+  notify:
+    - Restart nsd
+
+- name: Create each zone in NSD
+  ansible.builtin.template:
+    src: zone.j2
+    dest: "{{ nsd_default_etc_path }}nsd.conf.d/{{ item }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ zones }}"
+  notify:
+    - Restart nsd
+
+- name: Force zone reload
+  ansible.builtin.meta: flush_handlers
+
+- name: Create zone and reload
+  ansible.builtin.include_tasks: zones.yml
+  loop: "{{ zones }}"
+  when: nsd_master
+
+- name: Ensure nsd is started
+  ansible.builtin.service:
+    name: nsd
+    state: started
--- a/roles/nsd/tasks/prerequisites.yml
+++ b/roles/nsd/tasks/prerequisites.yml
@@ -0,0 +1,28 @@
+---
+
+- name: Gather facts on listening ports
+  community.general.listen_ports_facts:
+
+- name: Detect systemd-resolve
+  ansible.builtin.set_fact:
+    _systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
+
+- name: Deactivate DNS stublistener
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regex: '^#DNSStubListener=yes'
+    line: DNSStubListener=no
+  when: _systemd_resolve_enable
+  notify:
+    - Restart systemd-resolved
+
+- name: Force restart for stub resolver
+  ansible.builtin.meta: flush_handlers
+
+- name: Install nsd & utilities
+  ansible.builtin.package:
+    name:
+      - nsd
+      - dnsutils
+      - ldnsutils
+    state: present
--- a/roles/nsd/tasks/zones.yml
+++ b/roles/nsd/tasks/zones.yml
@@ -0,0 +1,28 @@
+---
+
+- name: Create zone file
+  ansible.builtin.template:
+    src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
+    dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+    owner: root
+    group: root
+    mode: "0644"
+  vars:
+    # This generates 99 different serial per day
+    dns_serial: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}{{ ((ansible_date_time.hour | int * 3600 + ansible_date_time.minute | int * 60 + ansible_date_time.second | int) * 99 / 86400) | int }}"
+
+- name: Force zone file modification time
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+    state: touch
+    mode: "0644"
+
+- name: Check zone file
+  ansible.builtin.command:
+    cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+  changed_when: false
+
+- name: Reload zone
+  ansible.builtin.command:
+    cmd: "nsd-control reload {{ item.name }}"
+  changed_when: false
--- a/roles/nsd/templates/nsd.conf.j2
+++ b/roles/nsd/templates/nsd.conf.j2
@@ -0,0 +1,11 @@
+key:
+	name: "{{ nsd_tsig_key_name }}"
+	algorithm: hmac-sha256
+	secret: "{{ tsig_key }}"
+
+server:
+	log-only-syslog: yes
+	hide-version: yes
+	zonesdir: "/etc/nsd/zones"
+
+include: "/etc/nsd/nsd.conf.d/*.conf"
--- a/roles/nsd/templates/zone.j2
+++ b/roles/nsd/templates/zone.j2
@@ -0,0 +1,23 @@
+{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%}
+{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%}
+{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+zone:
+    name: "{{ item.name }}"
+    zonefile: {{ item.name }}.zone
+    {% if nsd_master -%}
+    {% for server in other_server -%}
+    {% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%}
+    notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endfor -%}
+    {% else -%}
+    {% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+    allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endif -%}
--- a/roles/nsd/templates/zones/libertus.eu.zone.j2
+++ b/roles/nsd/templates/zones/libertus.eu.zone.j2
@@ -0,0 +1,42 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+        IN MX     1 mail.dmz.mateu.be.
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+        IN CAA     0 issue "letsencrypt.org"
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+_dmarc.p        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+_jabber._tcp        IN SRV     0 0 5269 jabber.dmz.mateu.be.
+_xmpp-client._tcp        IN SRV     0 0 5222 jabber.dmz.mateu.be.
+_xmpp-server._tcp        IN SRV     0 0 5269 jabber.dmz.mateu.be.
+_xmppconnect        IN TXT     "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind"
+altsrv        IN CNAME     ks3370405.kimsufi.com.
+blog        IN CNAME     web1.dmz.mateu.be.
+conference        IN CNAME     jabber.dmz.mateu.be.
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+dkim._domainkey.p        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+fav        IN CNAME     web1.dmz.mateu.be.
+imap        IN CNAME     mail.dmz.mateu.be.
+mail        IN CNAME     web1.dmz.mateu.be.
+o        IN CNAME     web1.dmz.mateu.be.
+p        IN MX     1 mail.dmz.mateu.be.
+p    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+p    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+perso        IN CNAME     web1.dmz.mateu.be.
+rss        IN CNAME     web1.dmz.mateu.be.
+smtp        IN CNAME     mail.dmz.mateu.be.
+upload        IN CNAME     jabber.dmz.mateu.be.
+xmpp        IN CNAME     jabber.dmz.mateu.be.
--- a/roles/nsd/templates/zones/mateu.be.zone.j2
+++ b/roles/nsd/templates/zones/mateu.be.zone.j2
@@ -0,0 +1,101 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+$TTL 3600
+        IN MX     1 mail.dmz.mateu.be.
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+        IN CAA     0 issue "letsencrypt.org"
+*.garage        IN CNAME     garage
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+altsrv        IN CNAME     ks3370405.kimsufi.com.
+backup        IN A     10.233.212.60
+baybay-ponay        IN AAAA     2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
+bt        IN CNAME     bt.dmz.mateu.be.
+bt.dmz        IN A     82.66.135.228
+bt.dmz        IN AAAA     2a01:e0a:9bd:2811::3
+btf        IN CNAME     bt.dmz
+ciol        IN A     109.190.68.133
+derdriu        IN A     10.233.212.77
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+dns1.dmz        IN A     82.66.135.228
+dns1.dmz        IN AAAA     2a01:e0a:9bd:2811::16
+dom        IN A     10.233.212.15
+dom.dmz        IN A     82.66.135.228
+dom.dmz        IN AAAA     2a01:e0a:9bd:2811::15
+emerandon.st        IN CNAME     altsrv
+enbarr.dmz        IN AAAA     2a01:e0a:9bd:2811::50
+es1.dmz        IN AAAA     2a01:e0a:9bd:2811::21
+es1.dmz        IN A     82.66.135.228
+evse        IN A     10.233.211.198
+fc        IN A     10.233.211.194
+frederica.dmz        IN A     82.66.135.228
+frederica.dmz        IN AAAA     2a01:e0a:9bd:2811::60
+ftp        IN A     10.233.212.14
+ftp.dmz        IN A     82.66.135.228
+ftp.dmz        IN AAAA     2a01:e0a:9bd:2811::14
+garage        IN CNAME     garage1.dmz.mateu.be.
+garage1.dmz        IN A     82.66.135.228
+garage1.dmz        IN AAAA     2a01:e0a:9bd:2811::11
+garreg-mach        IN A     10.233.212.66
+haproxy.dmz        IN A     82.66.135.228
+haproxy.dmz        IN AAAA     2a01:e0a:9bd:2811::2
+imprimante        IN A     10.233.212.94
+jabber.dmz        IN A     82.66.135.228
+jabber.dmz        IN AAAA     2a01:e0a:9bd:2811::10
+jackett        IN CNAME     bt.dmz.mateu.be.
+libertus.eu._report._dmarc        IN TXT     "v=DMARC1;"
+machinbox        IN A     82.66.135.228
+machinbox        IN AAAA     2a01:e0a:9bd:2810::1
+mail-relay        IN A     37.187.5.75
+mail.dmz        IN A     82.66.135.228
+mail.dmz        IN AAAA     2a01:e0a:9bd:2811::4
+mailalt        IN CNAME     ks3370405.kimsufi.com.
+masto1.dmz        IN A     82.66.135.228
+masto1.dmz        IN AAAA     2a01:e0a:9bd:2811::19
+munin        IN CNAME     munin.dmz
+munin.dmz        IN A     82.66.135.228
+munin.dmz        IN AAAA     2a01:e0a:9bd:2811::12
+nfs        IN A     10.233.212.60
+nintendojo.fr._report._dmarc        IN TXT     "v=DMARC1;"
+nsd-master1.ext        IN A     51.158.238.190
+nsd-master1.ext        IN AAAA     2001:bc8:5090:5bb:dc00:ff:fe20:8869
+p.libertus.eu._report._dmarc        IN TXT     "v=DMARC1;"
+pipoworld.fr._report._dmarc        IN TXT     "v=DMARC1;"
+pt1.dmz        IN A     82.66.135.228
+pt1.dmz        IN AAAA     2a01:e0a:9bd:2811::20
+r        IN CNAME     web1.dmz
+rb        IN A     194.156.203.253
+rc        IN A     10.233.211.195
+ror1.dmz        IN A     82.66.135.228
+ror1.dmz        IN AAAA     2a01:e0a:9bd:2811::18
+sachetpa.st        IN CNAME     altsrv
+serenor.dmz        IN AAAA     2a01:e0a:9bd:2811::59
+serenor.dmz        IN A     82.66.135.228
+sonarr        IN CNAME     bt.dmz
+syslog.dmz        IN AAAA     2a01:e0a:9bd:2811::8
+unifi.dmz        IN A     82.66.135.228
+unifi.dmz        IN AAAA     2a01:e0a:9bd:2811::13
+veretcle.st        IN CNAME     altsrv
+voice1.dmz        IN A     82.66.135.228
+voice1.dmz        IN AAAA     2a01:e0a:9bd:2811::7
+voice3.dmz        IN A     82.66.135.228
+voice3.dmz        IN AAAA     2a01:e0a:9bd:2811::9
+web1.dmz        IN A     82.66.135.228
+web1.dmz        IN AAAA     2a01:e0a:9bd:2811::5
+web2.dmz        IN A     82.66.135.228
+web2.dmz        IN AAAA     2a01:e0a:9bd:2811::6
+web3.dmz        IN A     82.66.135.228
+web3.dmz        IN AAAA     2a01:e0a:9bd:2811::17
--- a/roles/nsd/templates/zones/nintendojo.fr.zone.j2
+++ b/roles/nsd/templates/zones/nintendojo.fr.zone.j2
@@ -0,0 +1,38 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+$TTL 3600
+        IN MX     1 mail.dmz.mateu.be.
+        IN A     82.66.135.228
+        IN AAAA     2a01:e0a:9bd:2811::6
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "google-site-verification=rIe1fnrQnv-E1H8qsMtEIhM4XYUqCELshWH9pHkwPBI"
+        IN CAA     0 issue "letsencrypt.org"
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+analyse        IN CNAME     web2.dmz.mateu.be.
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+forum        IN CNAME     web2.dmz.mateu.be.
+m        IN CNAME     masto1.dmz.mateu.be.
+medias.m        IN CNAME     mastodon-ndfr.garage.mateu.be.
+mm        IN CNAME     mail.dmz.mateu.be.
+mumble        IN CNAME     voice1.dmz.mateu.be.
+original.p        IN CNAME     peertube-original-ndfr.garage.mateu.be.
+p        IN CNAME     pt1.dmz.mateu.be.
+perso        IN CNAME     web1.dmz.mateu.be.
+playlists.p        IN CNAME     peertube-videos-ndfr.garage.mateu.be.
+radio        IN CNAME     voice3.dmz.mateu.be.
+videos.p        IN CNAME     peertube-playlists-ndfr.garage.mateu.be.
+www        IN CNAME     web2.dmz.mateu.be.
--- a/roles/nsd/templates/zones/parking.zone.j2
+++ b/roles/nsd/templates/zones/parking.zone.j2
@@ -0,0 +1,19 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+@			CAA	0 issue ";"
+@			TXT	"v=spf1 -all"
+@			TXT	"spf2.0/mfrom -all"
+_dmarc		TXT	"v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
--- a/roles/nsd/templates/zones/pipoworld.fr.zone.j2
+++ b/roles/nsd/templates/zones/pipoworld.fr.zone.j2
@@ -0,0 +1,22 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+        IN MX     1 mail.dmz.mateu.be.
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com  -all"
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+        IN CAA     0 issue "letsencrypt.org"
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+mm        IN CNAME     mail.dmz.mateu.be.
--- a/roles/nsd/vars/main.yml
+++ b/roles/nsd/vars/main.yml
@@ -0,0 +1,4 @@
+---
+
+nsd_default_etc_path: "/etc/nsd/"
+nsd_tsig_key_name: "tsig0"