slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🔥: remove nsd completely

Browse Source
This commit is contained in:
VC
2025-01-03 10:14:06 +01:00
parent d203265b1a
commit 969411a8d7
26 changed files with 0 additions and 689 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/host_vars/dns1.dmz.mateu.be.yml
View File

@@ -1,2 +0,0 @@
---
natted_ipv4: 82.66.135.228

2
inventory/host_vars/nsd-master1.ext.mateu.be.yml
View File

@@ -1,2 +0,0 @@
---
master: true

7
inventory/production.yml
View File

@@ -37,11 +37,6 @@ resticservers:
voice1.dmz.mateu.be: voice1.dmz.mateu.be:
web[1:3].dmz.mateu.be: web[1:3].dmz.mateu.be:
nsdservers:
hosts:
dns1.dmz.mateu.be:
nsd-master1.ext.mateu.be:
garageservers: garageservers:
children: children:
garage_prd_cluster: garage_prd_cluster:
@@ -152,7 +147,6 @@ disabled_munin:
baybay-ponay.mateu.be: baybay-ponay.mateu.be:
muse-HP-EliteBook-820-G2.home.arpa: muse-HP-EliteBook-820-G2.home.arpa:
pinkypie.home.arpa: pinkypie.home.arpa:
nsd-master1.ext.mateu.be:
pt-runner1.ext.mateu.be: pt-runner1.ext.mateu.be:
disabled_syslog: disabled_syslog:
@@ -160,7 +154,6 @@ disabled_syslog:
baybay-ponay.mateu.be: baybay-ponay.mateu.be:
machinbox.mateu.be: machinbox.mateu.be:
muse-HP-EliteBook-820-G2.home.arpa: muse-HP-EliteBook-820-G2.home.arpa:
nsd-master1.ext.mateu.be:
pinkypie.home.arpa: pinkypie.home.arpa:
pt-runner1.ext.mateu.be: pt-runner1.ext.mateu.be:

7
playbooks/nsd.yml
View File

@@ -1,7 +0,0 @@
---
- name: Deploy NSD
hosts: nsdservers
diff: true
roles:
- nsd

2
playbooks/site.yml
View File

@@ -6,8 +6,6 @@
import_playbook: nas.yml import_playbook: nas.yml
- name: Run usb playbook - name: Run usb playbook
import_playbook: usb.yml import_playbook: usb.yml
- name: Run nsd playbook
import_playbook: nsd.yml
- name: Run smtprelay playbook - name: Run smtprelay playbook
import_playbook: smtprelay.yml import_playbook: smtprelay.yml
- name: Run restic playbook - name: Run restic playbook

47
roles/firewall/templates/firewall.j2
View File

@@ -339,53 +339,6 @@ config redirect
option dest_port '64738' option dest_port '64738'
option target 'DNAT' option target 'DNAT'
# Allow DNS traffic
config rule
option name 'Allow-INPUT-DNS'
option src 'wan'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
option dest_port '53'
option target 'ACCEPT'
option family 'ipv6'
config redirect
option name 'Allow-INPUT-DNS'
option src 'wan'
option src_dport '53'
list proto 'tcp'
list proto 'udp'
option dest 'dmz'
option dest_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
option dest_port '53'
option target 'DNAT'
config rule
option name 'Allow-OUTPUT-DNS'
option src 'dmz'
option src_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
option dest_port '53'
option dest_ip '{{ hostvars['nsd-master1.ext.mateu.be']['ansible_default_ipv4']['address'] }}'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-OUTPUT-DNS'
option src 'dmz'
option src_ip '{{ hostvars['dns1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
list proto 'tcp'
list proto 'udp'
option dest 'wan'
option dest_port '53'
option dest_ip '{{ hostvars['nsd-master1.ext.mateu.be']['ansible_default_ipv6']['address'] }}'
option target 'ACCEPT'
option family 'ipv6'
# Allow mail traffic # Allow mail traffic
config rule config rule
option name 'Allow-OUTPUT-SMTP' option name 'Allow-OUTPUT-SMTP'

127
roles/munin_client/files/nsd
View File

@@ -1,127 +0,0 @@
#!/bin/sh
: << =cut
=head1 NAME
nsd - Plugin to monitor nsd DNS server
=head1 CONFIGURATION
No configuration
=head1 AUTHOR
Kim Heino <b@bbbs.net>
=head1 LICENSE
GPLv2
=head1 MAGIC MARKERS
#%# family=auto
#%# capabilities=autoconf
=cut
if [ "$1" = "autoconf" ]; then
if [ -x /usr/sbin/nsd-control ]; then
echo "yes"
exit 0
else
echo "no (no /usr/sbin/nsd-control)"
exit 0
fi
fi
if [ "$1" = "config" ]; then
echo 'graph_title NSD queries'
echo 'graph_vlabel queries / second'
echo 'graph_category dns'
echo 'graph_info Queries per second, by query type'
echo 'a.label A'
echo 'a.type DERIVE'
echo 'a.min 0'
echo 'aaaa.label AAAA'
echo 'aaaa.type DERIVE'
echo 'aaaa.min 0'
echo 'ptr.label PTR'
echo 'ptr.type DERIVE'
echo 'ptr.min 0'
echo 'cname.label CNAME'
echo 'cname.type DERIVE'
echo 'cname.min 0'
echo 'mx.label MX'
echo 'mx.type DERIVE'
echo 'mx.min 0'
echo 'txt.label TXT'
echo 'txt.type DERIVE'
echo 'txt.min 0'
echo 'soa.label SOA'
echo 'soa.type DERIVE'
echo 'soa.min 0'
echo 'ns.label NS'
echo 'ns.type DERIVE'
echo 'ns.min 0'
echo 'srv.label SRV'
echo 'srv.type DERIVE'
echo 'srv.min 0'
echo 'dnskey.label DNSKEY'
echo 'dnskey.type DERIVE'
echo 'dnskey.min 0'
echo 'axfr.label AXFR'
echo 'axfr.type DERIVE'
echo 'axfr.min 0'
echo 'snxd.label NXDOMAIN'
echo 'snxd.type DERIVE'
echo 'snxd.min 0'
echo 'rq.label Total Successful'
echo 'rq.type DERIVE'
echo 'rq.min 0'
exit 0
fi
/usr/sbin/nsd-control stats_noreset | sed 's/=/ /; s/\.//g' | (
numtypeA=0
numtypeAAAA=0
numtypePTR=0
numtypeCNAME=0
numtypeMX=0
numtypeTXT=0
numtypeSOA=0
numtypeNS=0
numtypeSRV=0
numtypeDNSKEY=0
numraxfr=0
numrcodeNXDOMAIN=0
numqueries=0
while read -r key value rest; do
[ "${key}" = "numtypeA" ] && numtypeA=${value}
[ "${key}" = "numtypeAAAA" ] && numtypeAAAA=${value}
[ "${key}" = "numtypePTR" ] && numtypePTR=${value}
[ "${key}" = "numtypeCNAME" ] && numtypeCNAME=${value}
[ "${key}" = "numtypeMX" ] && numtypeMX=${value}
[ "${key}" = "numtypeTXT" ] && numtypeTXT=${value}
[ "${key}" = "numtypeSOA" ] && numtypeSOA=${value}
[ "${key}" = "numtypeNS" ] && numtypeNS=${value}
[ "${key}" = "numtypeSRV" ] && numtypeSRV=${value}
[ "${key}" = "numtypeDNSKEY" ] && numtypeDNSKEY=${value}
[ "${key}" = "numraxfr" ] && numraxfr=${value}
[ "${key}" = "numrcodeNXDOMAIN" ] && numrcodeNXDOMAIN=${value}
[ "${key}" = "numqueries" ] && numqueries=${value}
done
echo "a.value ${numtypeA}"
echo "aaaa.value ${numtypeAAAA}"
echo "ptr.value ${numtypePTR}"
echo "cname.value ${numtypeCNAME}"
echo "mx.value ${numtypeMX}"
echo "txt.value ${numtypeTXT}"
echo "soa.value ${numtypeSOA}"
echo "ns.value ${numtypeNS}"
echo "srv.value ${numtypeSRV}"
echo "dnskey.value ${numtypeDNSKEY}"
echo "axfr.value ${numraxfr}"
echo "snxd.value ${numrcodeNXDOMAIN}"
echo "rq.value ${numqueries}"
)

5
roles/munin_client/tasks/main.yml
View File

@@ -135,8 +135,3 @@
- name: Execute specific garage commands - name: Execute specific garage commands
ansible.builtin.include_tasks: garage.yml ansible.builtin.include_tasks: garage.yml
when: "'garageservers' in group_names" when: "'garageservers' in group_names"
# Specific nsd commands
- name: Execute specific nsd commands
ansible.builtin.include_tasks: nsd.yml
when: "'dns' in inventory_hostname"

21
roles/munin_client/tasks/nsd.yml
View File

@@ -1,21 +0,0 @@
---
- name: Put nsd plugin configuration
ansible.builtin.template:
src: nsd.j2
dest: /etc/munin/plugin-conf.d/nsd
owner: root
group: root
mode: "0o640"
notify:
- Restart munin-node
- name: Put nsd scripts
ansible.builtin.copy:
src: files/nsd
dest: /etc/munin/plugins/nsd
owner: root
group: root
mode: "0o755"
notify:
- Restart munin-node

2
roles/munin_client/templates/nsd.j2
View File

@@ -1,2 +0,0 @@
[nsd]
user root

3
roles/nsd/defaults/main.yml
View File

@@ -1,3 +0,0 @@
---
nsd_master: "{{ master | default(false) }}"

11
roles/nsd/handlers/main.yml
View File

@@ -1,11 +0,0 @@
---
- name: Restart nsd
ansible.builtin.service:
name: nsd
state: restarted
- name: Restart systemd-resolved
ansible.builtin.service:
name: systemd-resolved
state: restarted

18
roles/nsd/tasks/cron.yml
View File

@@ -1,18 +0,0 @@
---
- name: Install cron script
ansible.builtin.template:
src: resignall.sh.j2
dest: "{{ nsd_cron_script }}"
owner: root
group: root
mode: "0o750"
- name: Install cron
ansible.builtin.cron:
name: "NSD zone resign"
hour: "3"
minute: "2"
weekday: "3"
job: "{{ nsd_cron_script }} &> /dev/null"
state: present

68
roles/nsd/tasks/main.yml
View File

@@ -1,68 +0,0 @@
---
- name: Install & check prerequisites
ansible.builtin.include_tasks: prerequisites.yml
- name: Create slave group
ansible.builtin.group_by:
key: slave_nsdservers
when: not nsd_master
- name: Create master group
ansible.builtin.group_by:
key: master_nsdservers
when: nsd_master
- name: Create zone dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}zones"
owner: nsd
group: nsd
mode: "0o755"
state: directory
- name: Create key dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}keys"
owner: nsd
group: nsd
mode: "0o700"
state: directory
- name: Create nsd.conf
ansible.builtin.template:
src: nsd.conf.j2
dest: "{{ nsd_default_etc_path }}nsd.conf"
owner: root
group: root
mode: "0o640"
notify:
- Restart nsd
- name: Create each zone in NSD
ansible.builtin.template:
src: zone.j2
dest: "{{ nsd_default_etc_path }}nsd.conf.d/{{ item.name }}.conf"
owner: root
group: root
mode: "0o644"
loop: "{{ zones }}"
notify:
- Restart nsd
- name: Force zone reload
ansible.builtin.meta: flush_handlers
- name: Create zone and reload
ansible.builtin.include_tasks: zones.yml
loop: "{{ zones }}"
when: nsd_master
- name: Install renew cron
ansible.builtin.include_tasks: cron.yml
when: nsd_master
- name: Ensure nsd is started
ansible.builtin.service:
name: nsd
state: started

30
roles/nsd/tasks/prerequisites.yml
View File

@@ -1,30 +0,0 @@
---
- name: Gather facts on listening ports
community.general.listen_ports_facts:
- name: Detect systemd-resolve
ansible.builtin.set_fact:
_systemd_resolve_enable: "{{ ansible_facts.udp_listen | selectattr('port', 'eq', 53) | selectattr('name', 'eq', 'systemd-resolve') | count > 0 }}"
- name: Deactivate DNS stublistener
ansible.builtin.lineinfile:
path: /etc/systemd/resolved.conf
regex: '^#DNSStubListener=yes'
line: DNSStubListener=no
when: _systemd_resolve_enable
notify:
- Restart systemd-resolved
- name: Force restart for stub resolver
ansible.builtin.meta: flush_handlers
- name: Install nsd & utilities
ansible.builtin.package:
name:
- nsd
- dnsutils
- ldnsutils
- cron
state: present
update_cache: true

56
roles/nsd/tasks/zones.yml
View File

@@ -1,56 +0,0 @@
---
- name: Create zone file
ansible.builtin.template:
src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
owner: nsd
group: nsd
mode: "0o644"
vars:
dns_serial: "{{ ansible_date_time.epoch }}"
web_hostname_block: |-
{% for webserver in groups['webservers'] | sort -%}
{% for web_hostname in (hostvars[webserver]['web_hostname'] | selectattr('host', 'match', '.+' ~ item.name) | sort(attribute='host')) -%}
{{ web_hostname.host | regex_replace('\.' ~ item.name ~ '$', '') }} IN CNAME {{ webserver }}.
{% endfor %}
{% endfor %}
- name: Create zone key dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/"
owner: nsd
group: nsd
mode: "0o750"
state: directory
- name: Create the associated keys
become: true
become_user: nsd
ansible.builtin.command:
cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}"
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
- name: Check zone file
ansible.builtin.command:
cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
changed_when: false
- name: Stat associated keys
ansible.builtin.stat:
path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
register: _stat_keys
- name: Sign zone file
become: true
become_user: nsd
ansible.builtin.command:
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
changed_when: true
- name: Reload zone
ansible.builtin.command:
cmd: "nsd-control reload {{ item.name }}"
changed_when: false

11
roles/nsd/templates/nsd.conf.j2
View File

@@ -1,11 +0,0 @@
key:
name: "{{ nsd_tsig_key_name }}"
algorithm: hmac-sha256
secret: "{{ tsig_key }}"
server:
log-only-syslog: yes
hide-version: yes
zonesdir: "/etc/nsd/zones"
include: "/etc/nsd/nsd.conf.d/*.conf"

17
roles/nsd/templates/resignall.sh.j2
View File

@@ -1,17 +0,0 @@
#!/bin/bash
for i in {{ nsd_default_etc_path }}keys/*/*.ds
do
# Get the different names
FILENAME=${i##*/}
KEYNAME=${FILENAME/.ds/}
DIRPATH=${i/${FILENAME}/}
_ZONEFILEPATH=${DIRPATH/keys/zones}
ZONEFILEPATH=${_ZONEFILEPATH%/*}.zone
_ZONENAME=${_ZONEFILEPATH%/*}
ZONENAME=${_ZONENAME##*/}
cd $DIRPATH
sudo -u nsd /usr/bin/ldns-signzone -o ${ZONENAME} -u ${ZONEFILEPATH} ${KEYNAME}
/usr/sbin/nsd-control reload ${ZONENAME}
done

23
roles/nsd/templates/zone.j2
View File

@@ -1,23 +0,0 @@
{% set other_server = groups['slave_nsdservers'] if nsd_master else (groups['master_nsdservers'] | first) -%}
{% set default_ipv4 = hostvars[other_server].ansible_default_ipv4.address -%}
{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
zone:
name: "{{ item.name }}"
zonefile: {{ item.name }}.zone.signed
{% if nsd_master -%}
{% for server in other_server -%}
{% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}
{% set default_ipv6 = hostvars[server].ansible_default_ipv6.address -%}
notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
provide-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
provide-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
{% endfor -%}
{% else -%}
{% set default_ipv4 = hostvars[other_server].natted_ipv4 | default(hostvars[other_server].ansible_default_ipv4.address) -%}
{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
allow-notify: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
request-xfr: {{ default_ipv4 }} {{ nsd_tsig_key_name }}
allow-notify: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
request-xfr: {{ default_ipv6 }} {{ nsd_tsig_key_name }}
{% endif -%}

33
roles/nsd/templates/zones/libertus.eu.zone.j2
View File

@@ -1,33 +0,0 @@
$TTL 86400
@ IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ server }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 1 mail.dmz.mateu.be.
@ IN A 82.66.135.228
@ IN AAAA 2a01:e0a:9bd:2811::10
@ 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
_jabber._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be.
_xmpp-client._tcp IN SRV 0 0 5222 jabber.dmz.mateu.be.
_xmpp-server._tcp IN SRV 0 0 5269 jabber.dmz.mateu.be.
_xmppconnect IN TXT "_xmpp-client-xbosh=https://xmpp.libertus.eu/http-bind"
altsrv IN CNAME ks3370405.kimsufi.com.
p IN MX 1 mail.dmz.mateu.be.
p 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
p 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc.p 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey.p 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
{{ web_hostname_block }}

103
roles/nsd/templates/zones/mateu.be.zone.j2
View File

@@ -1,103 +0,0 @@
$TTL 86400
@ IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ server | regex_replace('^([a-z0-9-]+)\\.', '\\1-v4.') }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 1 mail.dmz.mateu.be.
@ 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
libertus.eu._report._dmarc 3600 IN TXT "v=DMARC1;"
nintendojo.fr._report._dmarc 3600 IN TXT "v=DMARC1;"
p.libertus.eu._report._dmarc 3600 IN TXT "v=DMARC1;"
altsrv IN CNAME ks3370405.kimsufi.com.
backup IN A 10.233.212.60
baybay-ponay IN AAAA 2a01:e0a:9bd:2810:9e6b:ff:fe13:ef88
bt.dmz IN A 82.66.135.228
bt.dmz IN AAAA 2a01:e0a:9bd:2811::3
ciol IN A 109.190.68.133
derdriu IN A 10.233.212.77
dns1.dmz IN A 82.66.135.228
dns1-v4.dmz IN A 82.66.135.228
dns1.dmz IN AAAA 2a01:e0a:9bd:2811::16
dns1-v6.dmz IN AAAA 2a01:e0a:9bd:2811::16
dom IN A 10.233.212.15
dom.dmz IN A 82.66.135.228
dom.dmz IN AAAA 2a01:e0a:9bd:2811::15
emerandon.st IN CNAME altsrv
enbarr.dmz IN AAAA 2a01:e0a:9bd:2811::50
es1.dmz IN A 82.66.135.228
es1.dmz IN AAAA 2a01:e0a:9bd:2811::21
evse IN A 10.233.211.198
fc IN A 10.233.211.194
frederica.dmz IN A 82.66.135.228
frederica.dmz IN AAAA 2a01:e0a:9bd:2811::60
ftp IN A 10.233.212.14
ftp.dmz IN A 82.66.135.228
ftp.dmz IN AAAA 2a01:e0a:9bd:2811::14
garage1.dmz IN A 82.66.135.228
garage1.dmz IN AAAA 2a01:e0a:9bd:2811::11
garreg-mach IN A 10.233.212.66
haproxy.dmz IN A 82.66.135.228
haproxy.dmz IN AAAA 2a01:e0a:9bd:2811::2
imprimante IN A 10.233.212.94
jabber.dmz IN A 82.66.135.228
jabber.dmz IN AAAA 2a01:e0a:9bd:2811::10
k3sn0.dmz IN A 82.66.135.228
k3sn0.dmz IN AAAA 2a01:e0a:9bd:2811::40
k3sn1.dmz IN A 82.66.135.228
k3sn1.dmz IN AAAA 2a01:e0a:9bd:2811::41
k3sn2.dmz IN A 82.66.135.228
k3sn2.dmz IN AAAA 2a01:e0a:9bd:2811::42
machinbox IN A 82.66.135.228
machinbox IN AAAA 2a01:e0a:9bd:2810::1
mail-relay IN A 37.187.5.75
mail.dmz IN A 82.66.135.228
mail.dmz IN AAAA 2a01:e0a:9bd:2811::4
mailalt IN CNAME altsrv
masto1.dmz IN A 82.66.135.228
masto1.dmz IN AAAA 2a01:e0a:9bd:2811::19
memcardprogc IN A 10.233.211.199
munin.dmz IN A 82.66.135.228
munin.dmz IN AAAA 2a01:e0a:9bd:2811::12
nfs IN A 10.233.212.60
nsd-master1.ext IN A 51.158.245.194
nsd-master1-v4.ext IN A 51.158.245.194
nsd-master1.ext IN AAAA 2001:bc8:5090:79b:dc00:ff:fe25:ad75
nsd-master1-v6.ext IN AAAA 2001:bc8:5090:79b:dc00:ff:fe25:ad75
patoche.ext IN A 51.159.156.201
patoche.ext IN AAAA 2001:bc8:1210:2efc:dc00:ff:fe4e:ef53
pt1.dmz IN A 82.66.135.228
pt1.dmz IN AAAA 2a01:e0a:9bd:2811::20
pt-runner1.ext IN AAAA 2001:bc8:1d90:b77:dc00:ff:fe17:bc83
rb IN A 194.156.203.253
rc IN A 10.233.211.195
sachetpa.st IN CNAME altsrv
serenor.dmz IN A 82.66.135.228
serenor.dmz IN AAAA 2a01:e0a:9bd:2811::59
syslog.dmz IN AAAA 2a01:e0a:9bd:2811::8
unifi.dmz IN A 82.66.135.228
unifi.dmz IN AAAA 2a01:e0a:9bd:2811::13
veretcle.st IN CNAME altsrv
voice1.dmz IN A 82.66.135.228
voice1.dmz IN AAAA 2a01:e0a:9bd:2811::7
voice3.dmz IN A 82.66.135.228
voice3.dmz IN AAAA 2a01:e0a:9bd:2811::9
web1.dmz IN A 82.66.135.228
web1.dmz IN AAAA 2a01:e0a:9bd:2811::5
web2.dmz IN A 82.66.135.228
web2.dmz IN AAAA 2a01:e0a:9bd:2811::6
web3.dmz IN A 82.66.135.228
web3.dmz IN AAAA 2a01:e0a:9bd:2811::17
{{ web_hostname_block }}

25
roles/nsd/templates/zones/nintendojo.fr.zone.j2
View File

@@ -1,25 +0,0 @@
$TTL 86400
@ IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ server }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 1 mail.dmz.mateu.be.
@ IN A 82.66.135.228
@ IN AAAA 2a01:e0a:9bd:2811::6
@ 3600 IN TXT "v=spf1 mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "spf2.0/mfrom mx a:ks3370405.kimsufi.com -all"
@ 3600 IN TXT "google-site-verification=rIe1fnrQnv-E1H8qsMtEIhM4XYUqCELshWH9pHkwPBI"
_dmarc 3600 IN TXT "v=DMARC1; p=reject; rua=mailto:report@mateu.be; adkim=s; aspf=s"
dkim._domainkey 3600 IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCv3kGIw5015Q35LLbkGwaBE+wC0PseodezDdkoGwzRsazEWINv1bg0mCIjtDbXLpv5VgRSynRyB+764i15DoFJp6mabcHlXxQVBWMClAtCJ9+Fn6SEwQjFbQeuFVQKH3xMwIq0S+ggP7qhFTaiLBn909Fi8oEMXGvqbBSlvoaeJwIDAQAB"
mumble IN CNAME voice1.dmz.mateu.be.
{{ web_hostname_block }}

22
roles/nsd/templates/zones/nintendojofr.com.zone.j2
View File

@@ -1,22 +0,0 @@
$TTL 86400
@ IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ server }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN MX 0 .
@ IN A 82.66.135.228
@ IN AAAA 2a01:e0a:9bd:2811::6
@ IN TXT "v=spf1 -all"
@ IN TXT "spf2.0/mfrom -all"
_dmarc IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
{{ web_hostname_block }}

19
roles/nsd/templates/zones/parking.zone.j2
View File

@@ -1,19 +0,0 @@
$TTL 86400
@ IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ server }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue ";"
@ IN MX 0 .
@ IN TXT "v=spf1 -all"
@ IN TXT "spf2.0/mfrom -all"
_dmarc IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"

23
roles/nsd/templates/zones/sebicomics.com.zone.j2
View File

@@ -1,23 +0,0 @@
$TTL 86400
@ IN SOA {{ groups['master_nsdservers'] | first }}. tech.ovh.net. (
{{ dns_serial }}; timestamp serial number
28800; Refresh
7200; Retry
864000; Expire
86400; Min TTL
)
{% for server in groups['nsdservers'] %}
@ IN NS {{ server }}.
{% endfor %}
$ORIGIN {{ item.name }}.
@ IN CAA 0 issue "letsencrypt.org"
@ IN A 82.66.135.228
@ IN AAAA 2a01:e0a:9bd:2811::17
@ IN MX 0 .
@ 3600 IN TXT "v=spf1 -all"
@ 3600 IN TXT "spf2.0/mfrom -all"
_dmarc 3600 IN TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"
@ 3600 IN TXT "google-site-verification=Ptj7up6CWDNVy_AQjKrJf9yY08Tu7OTE30XIgG-ISGU"
{{ web_hostname_block }}

5
roles/nsd/vars/main.yml
View File

@@ -1,5 +0,0 @@
---
nsd_default_etc_path: "/etc/nsd/"
nsd_tsig_key_name: "tsig0"
nsd_cron_script: /usr/local/bin/resignall.sh