✨: add nsd role

firewall.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Retrieve network info
-  hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!muse-HP-EliteBook-820-G2.home.arpa
+  hosts: all:!disabled_server_conf:!machinbox.mateu.be
   gather_facts: true
   gather_subset:
     - network

group_vars/nsdservers.yml

@@ -0,0 +1,24 @@
+---
+
+zones:
+  - name: giteu.be
+    parking: true
+  - name: libertus.eu
+  - name: mateu.be
+  - name: monder.ch
+    parking: true
+  - name: nintendojo.fr
+  - name: nintendojofr.com
+    parking: true
+  - name: nupes.social
+    parking: true
+  - name: pipoworld.fr
+
+tsig_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          34333338336531313232313563373263613731636432653236646333376137646563316565613634
+          6665663431626165343534633336633635333337623135610a393664343735323733393063366362
+          35343766636266316263343733373937626436626264636434363138643765656436643231353963
+          3966363066353538300a666139663039323163306430373335663332366230313463623462373633
+          66373062316665346665376539316331633635626336303037643165626462383638333261363036
+          3535326630636437316638383663356136363566653865316239

nsd.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Deploy NSD
+  hosts: nsdservers
+  diff: true
+  roles:
+      - nsd

production.yml

@@ -75,6 +75,13 @@ resticservers:
       restic_backup_hour: 6
       restic_backup_minute: 45
 
+nsdservers:
+  hosts:
+    nsd-master1.ext.mateu.be:
+      master: true
+    dns1.dmz.mateu.be:
+      natted_ipv4: 82.66.135.228
+
 garageservers:
   children:
     garage_prd_cluster:
@@ -235,6 +242,7 @@ disabled_munin:
     muse-HP-EliteBook-820-G2.home.arpa:
     pinkypie.home.arpa:
     frederica.dmz.mateu.be:
+    nsd-master1.ext.mateu.be:
 
 disabled_syslog:
   hosts:
@@ -243,6 +251,14 @@ disabled_syslog:
     muse-HP-EliteBook-820-G2.home.arpa:
     pinkypie.home.arpa:
     frederica.dmz.mateu.be:
+    nsd-master1.ext.mateu.be:
+
+# Those are not servers and should not be configured as such
+disabled_server_conf:
+  hosts:
+    baybay-ponay.mateu.be:
+    muse-HP-EliteBook-820-G2.home.arpa:
+    pinkypie.home.arpa:
 
 ftpservers:
   hosts:

roles/firewall/templates/firewall.j2

@@ -339,6 +339,53 @@ config redirect
 	option dest_port '64738'
 	option target 'DNAT'
 
+# Allow DNS traffic
+config rule
+	option name 'Allow-INPUT-DNS'
+	option src 'wan'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_port '53'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config redirect
+	option name 'Allow-INPUT-DNS'
+	option src 'wan'
+	option src_dport '53'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '53'
+	option target 'DNAT'
+
+config rule
+	option name 'Allow-OUTPUT-DNS'
+	option src 'dmz'
+	option src_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'wan'
+	option dest_port '53'
+	option dest_ip '{{ hostvars['nsd-master1.ext.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
+config rule
+	option name 'Allow-OUTPUT-DNS'
+	option src 'dmz'
+	option src_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	list proto 'tcp'
+	list proto 'udp'
+	option dest 'wan'
+	option dest_port '53'
+	option dest_ip '{{ hostvars['nsd-master1.ext.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
 # Allow mail traffic
 config rule
 	option name 'Allow-OUTPUT-SMTP'

roles/nsd/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+nsd_master: "{{ master | default(false) }}"

roles/nsd/handlers/main.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Restart nsd
+  ansible.builtin.service:
+    name: nsd
+    state: restarted
+
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted

roles/nsd/tasks/main.yml

@@ -0,0 +1,56 @@
+---
+
+- name: Install & check prerequisites
+  ansible.builtin.include_tasks: prerequisites.yml
+
+- name: Create slave group
+  ansible.builtin.group_by:
+    key: slave_nsdservers
+  when: not nsd_master
+
+- name: Create master group
+  ansible.builtin.group_by:
+    key: master_nsdservers
+  when: nsd_master
+
+- name: Create zone dir
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}zones"
+    owner: root
+    group: root
+    mode: "0755"
+    state: directory
+
+- name: Create nsd.conf
+  ansible.builtin.template:
+    src: nsd.conf.j2
+    dest: "{{ nsd_default_etc_path }}nsd.conf"
+    owner: root
+    group: root
+    mode: "0640"
+  notify:
+    - Restart nsd
+
+- name: Create each zone in NSD
+  ansible.builtin.template:
+    src: zone.j2
+    dest: "{{ nsd_default_etc_path }}nsd.conf.d/{{ item }}.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  loop: "{{ zones }}"
+  notify:
+    - Restart nsd
+
+- name: Force zone reload
+  ansible.builtin.meta: flush_handlers
+
+- name: Create zone and reload
+  ansible.builtin.include_tasks: zones.yml
+  loop: "{{ zones }}"
+  when: nsd_master
+
+- name: Ensure nsd is started
+  ansible.builtin.service:
+    name: nsd
+    state: started

roles/nsd/tasks/prerequisites.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Gather facts on listening ports
+  community.general.listen_ports_facts:
+
+- name: Detect systemd-resolve
+  ansible.builtin.set_fact:
+    _systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
+
+- name: Deactivate DNS stublistener
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regex: '^#DNSStubListener=yes'
+    line: DNSStubListener=no
+  when: _systemd_resolve_enable
+  notify:
+    - Restart systemd-resolved
+
+- name: Force restart for stub resolver
+  ansible.builtin.meta: flush_handlers
+
+- name: Install nsd & utilities
+  ansible.builtin.package:
+    name:
+      - nsd
+      - dnsutils
+      - ldnsutils
+    state: present

roles/nsd/tasks/zones.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Create zone file
+  ansible.builtin.template:
+    src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
+    dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+    owner: root
+    group: root
+    mode: "0644"
+  vars:
+    # This generates 99 different serial per day
+    dns_serial: "{{ ansible_date_time.year }}{{ ansible_date_time.month }}{{ ansible_date_time.day }}{{ ((ansible_date_time.hour | int * 3600 + ansible_date_time.minute | int * 60 + ansible_date_time.second | int) * 99 / 86400) | int }}"
+
+- name: Force zone file modification time
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+    state: touch
+    mode: "0644"
+
+- name: Check zone file
+  ansible.builtin.command:
+    cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
+  changed_when: false
+
+- name: Reload zone
+  ansible.builtin.command:
+    cmd: "nsd-control reload {{ item.name }}"
+  changed_when: false

roles/nsd/templates/nsd.conf.j2

@@ -0,0 +1,11 @@
+key:
+	name: "{{ nsd_tsig_key_name }}"
+	algorithm: hmac-sha256
+	secret: "{{ tsig_key }}"
+
+server:
+	log-only-syslog: yes
+	hide-version: yes
+	zonesdir: "/etc/nsd/zones"
+
+include: "/etc/nsd/nsd.conf.d/*.conf"

roles/nsd/templates/zone.j2

@@ -0,0 +1,23 @@
+{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%}
+{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%}
+{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+zone:
+    name: "{{ item.name }}"
+    zonefile: {{ item.name }}.zone
+    {% if nsd_master -%}
+    {% for server in other_server -%}
+    {% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%}
+    notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endfor -%}
+    {% else -%}
+    {% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+    allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endif -%}

roles/nsd/templates/zones/libertus.eu.zone.j2

@@ -0,0 +1,42 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+        IN MX     1 mail.dmz.mateu.be.
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+        IN CAA     0 issue "letsencrypt.org"
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+_dmarc.p        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+_jabber._tcp        IN SRV     0 0 5269 jabber.dmz.mateu.be.
+_xmpp-client._tcp        IN SRV     0 0 5222 jabber.dmz.mateu.be.
+_xmpp-server._tcp        IN SRV     0 0 5269 jabber.dmz.mateu.be.
+_xmppconnect        IN TXT     "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind"
+altsrv        IN CNAME     ks3370405.kimsufi.com.
+blog        IN CNAME     web1.dmz.mateu.be.
+conference        IN CNAME     jabber.dmz.mateu.be.
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+dkim._domainkey.p        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+fav        IN CNAME     web1.dmz.mateu.be.
+imap        IN CNAME     mail.dmz.mateu.be.
+mail        IN CNAME     web1.dmz.mateu.be.
+o        IN CNAME     web1.dmz.mateu.be.
+p        IN MX     1 mail.dmz.mateu.be.
+p    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+p    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+perso        IN CNAME     web1.dmz.mateu.be.
+rss        IN CNAME     web1.dmz.mateu.be.
+smtp        IN CNAME     mail.dmz.mateu.be.
+upload        IN CNAME     jabber.dmz.mateu.be.
+xmpp        IN CNAME     jabber.dmz.mateu.be.

roles/nsd/templates/zones/mateu.be.zone.j2

@@ -0,0 +1,101 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+$TTL 3600
+        IN MX     1 mail.dmz.mateu.be.
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+        IN CAA     0 issue "letsencrypt.org"
+*.garage        IN CNAME     garage
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+altsrv        IN CNAME     ks3370405.kimsufi.com.
+backup        IN A     10.233.212.60
+baybay-ponay        IN AAAA     2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
+bt        IN CNAME     bt.dmz.mateu.be.
+bt.dmz        IN A     82.66.135.228
+bt.dmz        IN AAAA     2a01:e0a:9bd:2811::3
+btf        IN CNAME     bt.dmz
+ciol        IN A     109.190.68.133
+derdriu        IN A     10.233.212.77
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+dns1.dmz        IN A     82.66.135.228
+dns1.dmz        IN AAAA     2a01:e0a:9bd:2811::16
+dom        IN A     10.233.212.15
+dom.dmz        IN A     82.66.135.228
+dom.dmz        IN AAAA     2a01:e0a:9bd:2811::15
+emerandon.st        IN CNAME     altsrv
+enbarr.dmz        IN AAAA     2a01:e0a:9bd:2811::50
+es1.dmz        IN AAAA     2a01:e0a:9bd:2811::21
+es1.dmz        IN A     82.66.135.228
+evse        IN A     10.233.211.198
+fc        IN A     10.233.211.194
+frederica.dmz        IN A     82.66.135.228
+frederica.dmz        IN AAAA     2a01:e0a:9bd:2811::60
+ftp        IN A     10.233.212.14
+ftp.dmz        IN A     82.66.135.228
+ftp.dmz        IN AAAA     2a01:e0a:9bd:2811::14
+garage        IN CNAME     garage1.dmz.mateu.be.
+garage1.dmz        IN A     82.66.135.228
+garage1.dmz        IN AAAA     2a01:e0a:9bd:2811::11
+garreg-mach        IN A     10.233.212.66
+haproxy.dmz        IN A     82.66.135.228
+haproxy.dmz        IN AAAA     2a01:e0a:9bd:2811::2
+imprimante        IN A     10.233.212.94
+jabber.dmz        IN A     82.66.135.228
+jabber.dmz        IN AAAA     2a01:e0a:9bd:2811::10
+jackett        IN CNAME     bt.dmz.mateu.be.
+libertus.eu._report._dmarc        IN TXT     "v=DMARC1;"
+machinbox        IN A     82.66.135.228
+machinbox        IN AAAA     2a01:e0a:9bd:2810::1
+mail-relay        IN A     37.187.5.75
+mail.dmz        IN A     82.66.135.228
+mail.dmz        IN AAAA     2a01:e0a:9bd:2811::4
+mailalt        IN CNAME     ks3370405.kimsufi.com.
+masto1.dmz        IN A     82.66.135.228
+masto1.dmz        IN AAAA     2a01:e0a:9bd:2811::19
+munin        IN CNAME     munin.dmz
+munin.dmz        IN A     82.66.135.228
+munin.dmz        IN AAAA     2a01:e0a:9bd:2811::12
+nfs        IN A     10.233.212.60
+nintendojo.fr._report._dmarc        IN TXT     "v=DMARC1;"
+nsd-master1.ext        IN A     51.158.238.190
+nsd-master1.ext        IN AAAA     2001:bc8:5090:5bb:dc00:ff:fe20:8869
+p.libertus.eu._report._dmarc        IN TXT     "v=DMARC1;"
+pipoworld.fr._report._dmarc        IN TXT     "v=DMARC1;"
+pt1.dmz        IN A     82.66.135.228
+pt1.dmz        IN AAAA     2a01:e0a:9bd:2811::20
+r        IN CNAME     web1.dmz
+rb        IN A     194.156.203.253
+rc        IN A     10.233.211.195
+ror1.dmz        IN A     82.66.135.228
+ror1.dmz        IN AAAA     2a01:e0a:9bd:2811::18
+sachetpa.st        IN CNAME     altsrv
+serenor.dmz        IN AAAA     2a01:e0a:9bd:2811::59
+serenor.dmz        IN A     82.66.135.228
+sonarr        IN CNAME     bt.dmz
+syslog.dmz        IN AAAA     2a01:e0a:9bd:2811::8
+unifi.dmz        IN A     82.66.135.228
+unifi.dmz        IN AAAA     2a01:e0a:9bd:2811::13
+veretcle.st        IN CNAME     altsrv
+voice1.dmz        IN A     82.66.135.228
+voice1.dmz        IN AAAA     2a01:e0a:9bd:2811::7
+voice3.dmz        IN A     82.66.135.228
+voice3.dmz        IN AAAA     2a01:e0a:9bd:2811::9
+web1.dmz        IN A     82.66.135.228
+web1.dmz        IN AAAA     2a01:e0a:9bd:2811::5
+web2.dmz        IN A     82.66.135.228
+web2.dmz        IN AAAA     2a01:e0a:9bd:2811::6
+web3.dmz        IN A     82.66.135.228
+web3.dmz        IN AAAA     2a01:e0a:9bd:2811::17

roles/nsd/templates/zones/nintendojo.fr.zone.j2

@@ -0,0 +1,38 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+$TTL 3600
+        IN MX     1 mail.dmz.mateu.be.
+        IN A     82.66.135.228
+        IN AAAA     2a01:e0a:9bd:2811::6
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+    600 IN TXT     "google-site-verification=rIe1fnrQnv-E1H8qsMtEIhM4XYUqCELshWH9pHkwPBI"
+        IN CAA     0 issue "letsencrypt.org"
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+analyse        IN CNAME     web2.dmz.mateu.be.
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+forum        IN CNAME     web2.dmz.mateu.be.
+m        IN CNAME     masto1.dmz.mateu.be.
+medias.m        IN CNAME     mastodon-ndfr.garage.mateu.be.
+mm        IN CNAME     mail.dmz.mateu.be.
+mumble        IN CNAME     voice1.dmz.mateu.be.
+original.p        IN CNAME     peertube-original-ndfr.garage.mateu.be.
+p        IN CNAME     pt1.dmz.mateu.be.
+perso        IN CNAME     web1.dmz.mateu.be.
+playlists.p        IN CNAME     peertube-videos-ndfr.garage.mateu.be.
+radio        IN CNAME     voice3.dmz.mateu.be.
+videos.p        IN CNAME     peertube-playlists-ndfr.garage.mateu.be.
+www        IN CNAME     web2.dmz.mateu.be.

roles/nsd/templates/zones/parking.zone.j2

@@ -0,0 +1,19 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+@			CAA	0 issue ";"
+@			TXT	"v=spf1 -all"
+@			TXT	"spf2.0/mfrom -all"
+_dmarc		TXT	"v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"

roles/nsd/templates/zones/pipoworld.fr.zone.j2

@@ -0,0 +1,22 @@
+$TTL 86400
+@		SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; serial number YYMMDDNN
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+		NS	{{ server }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+$TTL 7200
+        IN MX     1 mail.dmz.mateu.be.
+    600 IN TXT     "spf2.0/mfrom mx a:ks3370405.kimsufi.com  -all"
+    600 IN TXT     "v=spf1 mx a:ks3370405.kimsufi.com -all"
+        IN CAA     0 issue "letsencrypt.org"
+_dmarc        IN TXT     "v=DMARC1; p=reject; rua=mailto:postmaster@mateu.be; adkim=s; aspf=s"
+dkim._domainkey        IN TXT     "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+mm        IN CNAME     mail.dmz.mateu.be.

roles/nsd/vars/main.yml

@@ -0,0 +1,4 @@
+---
+
+nsd_default_etc_path: "/etc/nsd/"
+nsd_tsig_key_name: "tsig0"

site.yml

@@ -4,6 +4,8 @@
   import_playbook: system.yml
 - name: Run usb playbook
   import_playbook: usb.yml
+- name: Run nsd playbook
+  import_playbook: nsd.yml
 - name: Run smtprelay playbook
   import_playbook: smtprelay.yml
 - name: Run restic playbook

smtprelay.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Deploy smtp relay
-  hosts: all:!baybay-ponay.mateu.be:!machinbox.mateu.be:!mail.dmz.mateu.be:!muse-HP-EliteBook-820-G2.home.arpa:!frederica.dmz.mateu.be
+  hosts: all:!disabled_server_conf:!machinbox.mateu.be:!mail.dmz.mateu.be:!frederica.dmz.mateu.be
   diff: true
   roles:
     - smtprelay