slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

: DNSSEC signing and auto-signing

Browse Source
This commit is contained in:
VC
2024-07-05 11:53:53 +02:00
parent cedd523536
commit eac088a11e
8 changed files with 82 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
roles/nsd/tasks/cron.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: Install cron script
ansible.builtin.template:
src: resignall.sh.j2
dest: "{{ nsd_cron_script }}"
owner: root
group: root
mode: "0o750"
- name: Install cron
ansible.builtin.cron:
name: "NSD zone resign"
hour: "3"
minute: "2"
weekday: "3"
job: "{{ nsd_cron_script }} &> /dev/null"
state: present

16
roles/nsd/tasks/main.yml
View File

@@ -16,11 +16,19 @@
- name: Create zone dir - name: Create zone dir
ansible.builtin.file: ansible.builtin.file:
path: "{{ nsd_default_etc_path }}zones" path: "{{ nsd_default_etc_path }}zones"
owner: root owner: nsd
group: root group: nsd
mode: "0o755" mode: "0o755"
state: directory state: directory
- name: Create key dir
ansible.builtin.file:
path: "{{ nsd_default_etc_path }}keys"
owner: nsd
group: nsd
mode: "0o700"
state: directory
- name: Create nsd.conf - name: Create nsd.conf
ansible.builtin.template: ansible.builtin.template:
src: nsd.conf.j2 src: nsd.conf.j2
@@ -50,6 +58,10 @@
loop: "{{ zones }}" loop: "{{ zones }}"
when: nsd_master when: nsd_master
- name: Install renew cron
ansible.builtin.include_tasks: cron.yml
when: nsd_master
- name: Ensure nsd is started - name: Ensure nsd is started
ansible.builtin.service: ansible.builtin.service:
name: nsd name: nsd

1
roles/nsd/tasks/prerequisites.yml
View File

@@ -25,4 +25,5 @@
- nsd - nsd
- dnsutils - dnsutils
- ldnsutils - ldnsutils
- cron
state: present state: present

35
roles/nsd/tasks/zones.yml
View File

@@ -4,24 +4,47 @@
ansible.builtin.template: ansible.builtin.template:
src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}" src: "{{ 'zones/parking.zone.j2' if item.parking | default(false) else 'zones/' ~ item.name ~ '.zone.j2' }}"
dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone" dest: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
owner: root owner: nsd
group: root group: nsd
mode: "0o644" mode: "0o644"
vars: vars:
# This generates 99 different serial per day # This generates 99 different serial per day
dns_serial: "{{ ansible_date_time.epoch }}" dns_serial: "{{ ansible_date_time.epoch }}"
- name: Force zone file modification time - name: Create zone key dir
ansible.builtin.file: ansible.builtin.file:
path: "{{ nsd_default_etc_path }}zones/{{ item.name }}.zone" path: "{{ nsd_default_etc_path }}keys/{{ item.name }}/"
state: touch owner: nsd
mode: "0o644" group: nsd
mode: "0o750"
state: directory
- name: Create the associated keys
become: true
become_user: nsd
ansible.builtin.command:
cmd: "ldns-keygen -a ECDSAP256SHA256 -k -s {{ item.name }}"
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
creates: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
- name: Check zone file - name: Check zone file
ansible.builtin.command: ansible.builtin.command:
cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone" cmd: "nsd-checkzone {{ item.name }} {{ nsd_default_etc_path }}zones/{{ item.name }}.zone"
changed_when: false changed_when: false
- name: Stat associated keys
ansible.builtin.stat:
path: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/.ds"
register: _stat_keys
- name: Sign zone file
become: true
become_user: nsd
ansible.builtin.command:
chdir: "{{ nsd_default_etc_path }}/keys/{{ item.name }}/"
cmd: "ldns-signzone -o {{ item.name }} -u {{ nsd_default_etc_path }}/zones/{{ item.name }}.zone {{ (_stat_keys.stat.lnk_target | split('.'))[:-1] | join('.') }}"
changed_when: true
- name: Reload zone - name: Reload zone
ansible.builtin.command: ansible.builtin.command:
cmd: "nsd-control reload {{ item.name }}" cmd: "nsd-control reload {{ item.name }}"

17
roles/nsd/templates/resignall.sh.j2 Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
for i in {{ nsd_default_etc_path }}keys/*/*.ds
do
# Get the different names
FILENAME=${i##*/}
KEYNAME=${FILENAME/.ds/}
DIRPATH=${i/${FILENAME}/}
_ZONEFILEPATH=${DIRPATH/keys/zones}
ZONEFILEPATH=${_ZONEFILEPATH%/*}.zone
_ZONENAME=${_ZONEFILEPATH%/*}
ZONENAME=${_ZONENAME##*/}
cd $DIRPATH
sudo -u nsd /usr/bin/ldns-signzone -o ${ZONENAME} -u ${ZONEFILEPATH} ${KEYNAME}
/usr/sbin/nsd-control reload ${ZONENAME}
done

2
roles/nsd/templates/zone.j2
View File

@@ -3,7 +3,7 @@
{% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%} {% set default_ipv6 = hostvars[other_server].ansible_default_ipv6.address -%}
zone: zone:
name: "{{ item.name }}" name: "{{ item.name }}"
zonefile: {{ item.name }}.zone zonefile: {{ item.name }}.zone.signed
{% if nsd_master -%} {% if nsd_master -%}
{% for server in other_server -%} {% for server in other_server -%}
{% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%} {% set default_ipv4 = hostvars[server].natted_ipv4 | default(hostvars[server].ansible_default_ipv4.address) -%}

1
roles/nsd/templates/zones/parking.zone.j2
View File

@@ -14,6 +14,7 @@ $TTL 86400
$ORIGIN {{ item.name }}. $ORIGIN {{ item.name }}.
$TTL 7200 $TTL 7200
@ CAA 0 issue ";" @ CAA 0 issue ";"
@ MX 0 .
@ TXT "v=spf1 -all" @ TXT "v=spf1 -all"
@ TXT "spf2.0/mfrom -all" @ TXT "spf2.0/mfrom -all"
_dmarc TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;" _dmarc TXT "v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;"

1
roles/nsd/vars/main.yml
View File

@@ -2,3 +2,4 @@
nsd_default_etc_path: "/etc/nsd/" nsd_default_etc_path: "/etc/nsd/"
nsd_tsig_key_name: "tsig0" nsd_tsig_key_name: "tsig0"
nsd_cron_script: /usr/local/bin/resignall.sh