✨: DNSSEC signing and auto-signing

2024-07-05 11:53:53 +02:00
parent cedd523536
commit eac088a11e
8 changed files with 82 additions and 9 deletions
--- a/roles/nsd/tasks/cron.yml
+++ b/roles/nsd/tasks/cron.yml
@@ -0,0 +1,18 @@
+---
+
+- name: Install cron script
+  ansible.builtin.template:
+    src: resignall.sh.j2
+    dest: "{{ nsd_cron_script }}"
+    owner: root
+    group: root
+    mode: "0o750"
+
+- name: Install cron
+  ansible.builtin.cron:
+    name: "NSD zone resign"
+    hour: "3"
+    minute: "2"
+    weekday: "3"
+    job: "{{ nsd_cron_script }} &> /dev/null"
+    state: present
--- a/roles/nsd/tasks/main.yml
+++ b/roles/nsd/tasks/main.yml
@@ -16,11 +16,19 @@
 - name: Create zone dir
  ansible.builtin.file:
    path: "{{ nsd_default_etc_path }}zones"
-    owner: root
-    group: root
+    owner: nsd
+    group: nsd
    mode: "0o755"
    state: directory

+- name: Create key dir
+  ansible.builtin.file:
+    path: "{{ nsd_default_etc_path }}keys"
+    owner: nsd
+    group: nsd
+    mode: "0o700"
+    state: directory
+
 - name: Create nsd.conf
  ansible.builtin.template:
    src: nsd.conf.j2
@@ -50,6 +58,10 @@
  loop: "{{ zones }}"
  when: nsd_master

+- name: Install renew cron
+  ansible.builtin.include_tasks: cron.yml
+  when: nsd_master
+
 - name: Ensure nsd is started
  ansible.builtin.service:
    name: nsd
--- a/roles/nsd/tasks/prerequisites.yml
+++ b/roles/nsd/tasks/prerequisites.yml
@@ -25,4 +25,5 @@
      - nsd
      - dnsutils
      - ldnsutils
+      - cron
    state: present
--- a/roles/nsd/tasks/zones.yml
+++ b/roles/nsd/tasks/zones.yml
@@ -4,24 +4,47 @@
  ansible.builtin.template:
    src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
    dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
-    owner: root
-    group: root
+    owner: nsd
+    group: nsd
    mode: "0o644"
  vars:
    # This generates 99 different serial per day
    dns_serial: "{{ ansible_date_time.epoch }}"

- name: Force zone file modification time
+- name: Create zone key dir
  ansible.builtin.file:
-    path: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
-    state: touch
-    mode: "0o644"
+    path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/"
+    owner: nsd
+    group: nsd
+    mode: "0o750"
+    state: directory
+
+- name: Create the associated keys
+  become: true
+  become_user: nsd
+  ansible.builtin.command:
+    cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}"
+    chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
+    creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"

 - name: Check zone file
  ansible.builtin.command:
    cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
  changed_when: false

+- name: Stat associated keys
+  ansible.builtin.stat:
+    path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
+  register: _stat_keys
+
+- name: Sign zone file
+  become: true
+  become_user: nsd
+  ansible.builtin.command:
+    chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
+    cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
+  changed_when: true
+
 - name: Reload zone
  ansible.builtin.command:
    cmd: "nsd-control reload {{ item.name }}"