diff --git a/roles/nsd/tasks/cron.yml b/roles/nsd/tasks/cron.yml new file mode 100644 index 0000000..bbf4f7d --- /dev/null +++ b/roles/nsd/tasks/cron.yml @@ -0,0 +1,18 @@ +--- + +- name: Install cron script + ansible.builtin.template: + src: resignall.sh.j2 + dest: "{{ nsd_cron_script }}" + owner: root + group: root + mode: "0o750" + +- name: Install cron + ansible.builtin.cron: + name: "NSD zone resign" + hour: "3" + minute: "2" + weekday: "3" + job: "{{ nsd_cron_script }} &> /dev/null" + state: present diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml index 40d1e2e..857f074 100644 --- a/roles/nsd/tasks/main.yml +++ b/roles/nsd/tasks/main.yml @@ -16,11 +16,19 @@ - name: Create zone dir ansible.builtin.file: path: "{{ nsd_default_etc_path }}zones" - owner: root - group: root + owner: nsd + group: nsd mode: "0o755" state: directory +- name: Create key dir + ansible.builtin.file: + path: "{{ nsd_default_etc_path }}keys" + owner: nsd + group: nsd + mode: "0o700" + state: directory + - name: Create nsd.conf ansible.builtin.template: src: nsd.conf.j2 @@ -50,6 +58,10 @@ loop: "{{ zones }}" when: nsd_master +- name: Install renew cron + ansible.builtin.include_tasks: cron.yml + when: nsd_master + - name: Ensure nsd is started ansible.builtin.service: name: nsd diff --git a/roles/nsd/tasks/prerequisites.yml b/roles/nsd/tasks/prerequisites.yml index 925ffb2..7bb993c 100644 --- a/roles/nsd/tasks/prerequisites.yml +++ b/roles/nsd/tasks/prerequisites.yml @@ -25,4 +25,5 @@ - nsd - dnsutils - ldnsutils + - cron state: present diff --git a/roles/nsd/tasks/zones.yml b/roles/nsd/tasks/zones.yml index 78093ba..e4919e9 100644 --- a/roles/nsd/tasks/zones.yml +++ b/roles/nsd/tasks/zones.yml @@ -4,24 +4,47 @@ ansible.builtin.template: src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}" dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone" - owner: root - group: root + owner: nsd + group: nsd mode: "0o644" vars: # This generates 99 different serial per day dns_serial: "{{ ansible_date_time.epoch }}" -- name: Force zone file modification time +- name: Create zone key dir ansible.builtin.file: - path: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone" - state: touch - mode: "0o644" + path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/" + owner: nsd + group: nsd + mode: "0o750" + state: directory + +- name: Create the associated keys + become: true + become_user: nsd + ansible.builtin.command: + cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}" + chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/" + creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds" - name: Check zone file ansible.builtin.command: cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone" changed_when: false +- name: Stat associated keys + ansible.builtin.stat: + path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds" + register: _stat_keys + +- name: Sign zone file + become: true + become_user: nsd + ansible.builtin.command: + chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/" + cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}" + changed_when: true + - name: Reload zone ansible.builtin.command: cmd: "nsd-control reload {{ item.name }}" diff --git a/roles/nsd/templates/resignall.sh.j2 b/roles/nsd/templates/resignall.sh.j2 new file mode 100644 index 0000000..5e8cecd --- /dev/null +++ b/roles/nsd/templates/resignall.sh.j2 @@ -0,0 +1,17 @@ +#!/bin/bash + +for i in {{ nsd_default_etc_path }}keys/*/*.ds +do + # Get the different names + FILENAME=${i##*/} + KEYNAME=${FILENAME/.ds/} + DIRPATH=${i/${FILENAME}/} + _ZONEFILEPATH=${DIRPATH/keys/zones} + ZONEFILEPATH=${_ZONEFILEPATH%/*}.zone + _ZONENAME=${_ZONEFILEPATH%/*} + ZONENAME=${_ZONENAME##*/} + + cd $DIRPATH + sudo -u nsd /usr/bin/ldns-signzone -o ${ZONENAME} -u ${ZONEFILEPATH} ${KEYNAME} + /usr/sbin/nsd-control reload ${ZONENAME} +done diff --git a/roles/nsd/templates/zone.j2 b/roles/nsd/templates/zone.j2 index 1da82d2..3c9c776 100644 --- a/roles/nsd/templates/zone.j2 +++ b/roles/nsd/templates/zone.j2 @@ -3,7 +3,7 @@ {% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%} zone: name: "{{ item.name }}" - zonefile: {{ item.name }}.zone + zonefile: {{ item.name }}.zone.signed {% if nsd_master -%} {% for server in other_server -%} {% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%} diff --git a/roles/nsd/templates/zones/parking.zone.j2 b/roles/nsd/templates/zones/parking.zone.j2 index ca7a271..87136df 100644 --- a/roles/nsd/templates/zones/parking.zone.j2 +++ b/roles/nsd/templates/zones/parking.zone.j2 @@ -14,6 +14,7 @@ $TTL 86400 $ORIGIN {{ item.name }}. $TTL 7200 @ CAA 0 issue ";" +@ MX 0 . @ TXT "v=spf1 -all" @ TXT "spf2.0/mfrom -all" _dmarc TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;" diff --git a/roles/nsd/vars/main.yml b/roles/nsd/vars/main.yml index 911e4aa..3cb5fe8 100644 --- a/roles/nsd/vars/main.yml +++ b/roles/nsd/vars/main.yml @@ -2,3 +2,4 @@ nsd_default_etc_path: "/etc/nsd/" nsd_tsig_key_name: "tsig0" +nsd_cron_script: /usr/local/bin/resignall.sh