✨: nsd, the comeback

roles/nsd/templates/nsd.conf.j2

@@ -0,0 +1,11 @@
+key:
+	name: "{{ nsd_tsig_key_name }}"
+	algorithm: hmac-sha256
+	secret: "{{ tsig_key }}"
+
+server:
+	log-only-syslog: yes
+	hide-version: yes
+	zonesdir: "/etc/nsd/zones"
+
+include: "/etc/nsd/nsd.conf.d/*.conf"

roles/nsd/templates/resignall.sh.j2

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+for i in {{ nsd_default_etc_path }}keys/*/*.ds
+do
+	# Get the different names
+	FILENAME=${i##*/}
+	KEYNAME=${FILENAME/.ds/}
+	DIRPATH=${i/${FILENAME}/}
+	_ZONEFILEPATH=${DIRPATH/keys/zones}
+	ZONEFILEPATH=${_ZONEFILEPATH%/*}.zone
+	_ZONENAME=${_ZONEFILEPATH%/*}
+	ZONENAME=${_ZONENAME##*/}
+
+	cd $DIRPATH
+	sudo -u nsd /usr/bin/ldns-signzone -o ${ZONENAME} -u ${ZONEFILEPATH} ${KEYNAME}
+	/usr/sbin/nsd-control reload ${ZONENAME}
+done

roles/nsd/templates/zone.j2

@@ -0,0 +1,23 @@
+{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%}
+{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%}
+{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+zone:
+    name: "{{ item.name }}"
+    zonefile: {{ item.name }}.zone.signed
+    {% if nsd_master -%}
+    {% for server in other_server -%}
+    {% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%}
+    notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endfor -%}
+    {% else -%}
+    {% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%}
+    {% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
+    allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
+    allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
+    {% endif -%}

roles/nsd/templates/zones/giteu.be.zone.j2

@@ -0,0 +1,20 @@
+$TTL 86400
+@		IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].ansible_host }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue ";"
+@		IN MX 0 .
+@		IN TXT "v=spf1 -all"
+@		IN TXT "spf2.0/mfrom -all"
+_dmarc		IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
+{{ web_hostname_block }}

roles/nsd/templates/zones/libertus.eu.zone.j2

@@ -0,0 +1,31 @@
+$TTL 86400
+@		IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].ansible_host }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 1 mail.dmz.mateu.be.
+@		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+_dmarc		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+_jabber._tcp		IN SRV 0 0 5269 jabber.dmz.mateu.be.
+_xmpp-client._tcp		IN SRV 0 0 5222 jabber.dmz.mateu.be.
+_xmpp-server._tcp		IN SRV 0 0 5269 jabber.dmz.mateu.be.
+_xmppconnect		IN TXT "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind"
+altsrv		IN CNAME ks3370405.kimsufi.com.
+p		IN MX 1 mail.dmz.mateu.be.
+p		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+p		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+_dmarc.p		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey.p		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+{{ web_hostname_block }}

roles/nsd/templates/zones/mateu.be.zone.j2

@@ -0,0 +1,54 @@
+$TTL 86400
+@		IN	SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].ansible_host | regex_replace('^([a-z0-9-]+)\\.', '\\1-v4.') if hostvars[server].ansible_host.endswith('dmz.mateu.be') else hostvars[server].ansible_host }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 1 mail.dmz.mateu.be.
+@		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+_dmarc		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+libertus.eu._report._dmarc		3600 IN TXT "v=DMARC1;"
+nintendojo.fr._report._dmarc		3600 IN TXT "v=DMARC1;"
+p.libertus.eu._report._dmarc		3600 IN TXT "v=DMARC1;"
+altsrv		IN CNAME ks3370405.kimsufi.com.
+backup		IN A 10.233.212.60
+baybay-ponay		IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
+ciol		IN A 109.190.68.133
+derdriu		IN A 10.233.212.77
+dom		IN A 10.233.212.15
+enbarr.dmz		IN AAAA 2a01:e0a:9bd:2811::50
+evse		IN A 10.233.211.198
+fc		IN A 10.233.211.194
+frederica.dmz		IN A {{ global_public_ip_address }}
+frederica.dmz		IN AAAA 2a01:e0a:9bd:2811::60
+ftp		IN A 10.233.212.14
+garreg-mach		IN A 10.233.212.66
+imprimante		IN A 10.233.212.94
+machinbox		IN A {{ global_public_ip_address }}
+machinbox		IN AAAA 2a01:e0a:9bd:2810::1
+mailalt		IN CNAME altsrv
+memcardprogc	IN A 10.233.211.199
+nfs		IN A 10.233.212.60
+rb		IN A 194.156.203.253
+rc		IN A 10.233.211.195
+serenor.dmz		IN A {{ global_public_ip_address }}
+serenor.dmz		IN AAAA 2a01:e0a:9bd:2811::59
+{% for proxmox_host in (groups['proxmox_all_lxc'] + groups['proxmox_all_qemu']) | sort %}
+{{ proxmox_host }}.dmz	IN A {{ global_public_ip_address }}
+{% if proxmox_host.startswith('dns') %}
+{{ proxmox_host }}-v4.dmz	IN A {{ global_public_ip_address }}
+{% endif %}
+{{ proxmox_host }}.dmz	IN AAAA {{ hostvars[proxmox_host].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}
+{% endfor %}
+{{ web_hostname_block }}

roles/nsd/templates/zones/nintendojo.fr.zone.j2

@@ -0,0 +1,23 @@
+$TTL 86400
+@		IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].ansible_host }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 1 mail.dmz.mateu.be.
+@		3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
+@		3600 IN TXT "google-site-verification=rIe1fnrQnv-E1H8qsMtEIhM4XYUqCELshWH9pHkwPBI"
+_dmarc		3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
+dkim._domainkey		3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
+mumble		IN CNAME voice1.dmz.mateu.be.
+{{ web_hostname_block }}

roles/nsd/templates/zones/nintendojofr.com.zone.j2

@@ -0,0 +1,20 @@
+$TTL 86400
+@		IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].ansible_host }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue "letsencrypt.org"
+@		IN MX 0 .
+@		IN TXT "v=spf1 -all"
+@		IN TXT "spf2.0/mfrom -all"
+_dmarc		IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
+{{ web_hostname_block }}

roles/nsd/templates/zones/parking.zone.j2

@@ -0,0 +1,19 @@
+$TTL 86400
+@		IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
+				{{ dns_serial }}; timestamp serial number
+				28800; Refresh
+				7200; Retry
+				864000; Expire
+				86400; Min TTL
+			)
+
+{% for server in groups['nsdservers'] %}
+@		IN NS {{ hostvars[server].ansible_host }}.
+{% endfor %}
+
+$ORIGIN {{ item.name }}.
+@		IN CAA 0 issue ";"
+@		IN MX 0 .
+@		IN TXT "v=spf1 -all"
+@		IN TXT "spf2.0/mfrom -all"
+_dmarc		IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"