run nsd on bare metal

2023-01-07 12:02:04 +01:00 · 2023-01-07 12:02:04 +01:00 · 117d7d2cf4
commit 117d7d2cf4
parent 9bb44e4978
11 changed files with 39 additions and 102 deletions
--- a/roles/common/files/hosts
+++ b/roles/common/files/hosts
@ -1,14 +0,0 @@
 127.0.0.1 localhost
 127.0.1.1 ubuntu
 127.0.0.1 pizzapim.nl
 127.0.0.1 git.pizzapim.nl
 127.0.0.1 dav.pizzapim.nl
 127.0.0.1 social.pizzapim.nl
 127.0.0.1 www.pizzapim.nl
 # The following lines are desirable for IPv6 capable hosts
 ::1     ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
--- a/roles/common/files/resolv.conf
+++ b/roles/common/files/resolv.conf
@ -1,3 +1,4 @@
 nameserver 192.168.30.1
 nameserver 1.1.1.1
 nameserver 1.0.0.1
 search lan
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -23,7 +23,3 @@
    src: "{{ role_path }}/files/resolv.conf"
    dest: /etc/resolv.conf
    follow: true
 - name: Copy hosts file
  copy:
    src: "{{ role_path }}/files/hosts"
    dest: /etc/hosts
--- a/roles/docker/files/daemon.json
+++ b/roles/docker/files/daemon.json
@ -1,3 +0,0 @@
 {
  "ipv6": true
 }
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@ -29,11 +29,6 @@
    name:
      - docker
      - docker-compose
 - name: Enable IPv6
  copy:
    src: "{{ role_path }}/files/daemon.json"
    dest: /etc/docker/daemon.json
  register: daemon_file
 - name: Start Docker
  systemd:
    name: docker
--- a/roles/nsd/files/docker-compose.yml
+++ b/roles/nsd/files/docker-compose.yml
@ -1,18 +0,0 @@
 version: '3.7'
 services:
  nsd:
    container_name: nsd
    restart: always
    image: ghcr.io/the-kube-way/nsd:v4.6.0
    read_only: true
    tmpfs:
      - /tmp
      - /var/db/nsd
    volumes:
      - /apps/nsd/conf:/etc/nsd:ro
      - /apps/nsd/zones:/zones
      - /apps/nsd/keys:/keys
    ports:
      - 53:53
      - 53:53/udp
--- a/roles/nsd/files/nsd.conf
+++ b/roles/nsd/files/nsd.conf
@ -1,9 +1,9 @@
 server:
-        ip-address: eth0 # TEMP until response from mailing list
+        ip-address: enp3s0
        server-count: 1
        verbosity: 1
        hide-version: yes
-        zonesdir: "/zones"
+        zonesdir: "/etc/nsd/zones"
        ip-transparent: yes
        ip-freebind: yes
--- a/roles/nsd/files/zones/geokunis2.nl
+++ b/roles/nsd/files/zones/geokunis2.nl
@ -1,18 +1,18 @@
 $ORIGIN geokunis2.nl.
 $TTL 60
-geokunis2.nl.	IN	SOA	ns.geokunis2.nl. niels.kunis.nl. 2023010600 1800 3600 1209600 3600
+geokunis2.nl.	IN	SOA	ns.geokunis2.nl. niels.kunis.nl. 2023010601 1800 3600 1209600 3600
 			NS	ns.geokunis2.nl.
 			NS	ns0.transip.net.
 			NS	ns1.transip.nl.
 			NS	ns2.transip.eu.
-			A	82.197.212.198
+			A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 			MX	0 .
 			TXT	"v=spf1 -all"
 			CAA	0 issue "letsencrypt.org"
 jenl		IN	A	217.123.41.225
-kms			IN	A	82.197.212.198
+kms			IN	A	84.245.14.149
 _dmarc		IN	TXT	"v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
-ns			A	82.197.212.198
+ns			A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
--- a/roles/nsd/files/zones/pizzapim.nl
+++ b/roles/nsd/files/zones/pizzapim.nl
@ -1,22 +1,22 @@
 $ORIGIN pizzapim.nl.
 $TTL 60
-pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023010600 1800 3600 1209600 3600
+pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023010700 1800 3600 1209600 3600
 			NS	ns.pizzapim.nl.
 			NS	ns0.transip.net.
 			NS	ns1.transip.nl.
 			NS	ns2.transip.eu.
-			A	82.197.212.198
+			A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 			TXT	"v=spf1 ~all"
 			CAA	0 issue "letsencrypt.org"
-_dmarc	IN	TXT		"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
+_dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
-www		IN	A		82.197.212.198
+www		IN	A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
-ns		IN	A		82.197.212.198
+ns		IN	A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 cloud		IN	CNAME	www.pizzapim.nl
 social		IN	CNAME	www.pizzapim.nl
--- a/roles/nsd/meta/main.yml
+++ b/roles/nsd/meta/main.yml
@ -1,3 +0,0 @@
 dependencies:
  - role: common
  - role: docker
--- a/roles/nsd/tasks/main.yml
+++ b/roles/nsd/tasks/main.yml
@ -1,86 +1,69 @@
- name: Create nsd app directory
+- name: Install nsd
-  file:
+  apt:
-    path: /apps/nsd
+    pkg:
-    state: directory
+      - nsd
- name: Create nsd configuration directory
+      - ldnsutils
  file:
    path: /apps/nsd/conf
    state: directory
    owner: 991
    group: 991
 - name: Copy nsd.conf
  copy:
    src: "{{ role_path }}/files/nsd.conf"
-    dest: /apps/nsd/conf/nsd.conf
+    dest: /etc/nsd/nsd.conf
- name: Create nsd zones directory
+- name: Create zones directory
  file:
-    path: /apps/nsd/zones
+    path: /etc/nsd/zones
    state: directory
    owner: 991
    group: 991
 - name: Copy zone files
  copy:
    src: "{{ role_path }}/files/zones/"
-    dest: /apps/nsd/zones
+    dest: /etc/nsd/zones
- name: Create nsd keys directory
+- name: Create keys directory
  file:
-    path: /apps/nsd/keys
+    path: /etc/nsd/keys
    state: directory
    owner: 991
    group: 991
 - name: Copy KSK private keys
  template:
    src: "{{ item }}"
-    dest: "/apps/nsd/keys/{{ item | basename }}"
+    dest: "/etc/nsd/keys/{{ item | basename }}"
  with_fileglob:
    - "{{ role_path }}/files/keys/*.ksk.private"
 - name: Copy KSK keys
  copy:
    src: "{{ item }}"
-    dest: "/apps/nsd/keys/{{ item | basename }}"
+    dest: "/etc/nsd/keys/{{ item | basename }}"
  with_fileglob:
    - "{{ role_path }}/files/keys/*.ksk.key"
 - name: Copy Docker Compose script
  copy:
    src: "{{ role_path }}/files/docker-compose.yml"
    dest: /apps/nsd/docker-compose.yml
 - name: Start Docker Compose
  docker_compose:
    project_src: /apps/nsd
    pull: true
    remove_orphans: true
 - name: Check if ZSKs exist
  stat:
-    path: "/apps/nsd/keys/K{{ item | basename }}.zsk.key"
+    path: "/etc/nsd/keys/K{{ item | basename }}.zsk.key"
  register: zsks_exists
  with_fileglob:
    - "{{ role_path }}/files/zones/*"
 - name: Create ZSK
  command:
-    cmd: "docker-compose exec -w /keys nsd ldns-keygen -a ED25519 {{ item.item | basename }}"
+    cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}"
-    chdir: /apps/nsd
+    chdir: /etc/nsd/keys
  register: create_zsk
  when: not item.stat.exists
  with_items: "{{ zsks_exists.results }}"
 - name: Rename ZSK key
  command:
-    cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
+    cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
-    chdir: /apps/nsd
+    chdir: /etc/nsd/keys
  when: item.changed
  with_items: "{{ create_zsk.results }}"
 - name: Rename ZSK private key
  command:
-    cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
+    cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
-    chdir: /apps/nsd
+    chdir: /etc/nsd/keys
  when: item.changed
  with_items: "{{ create_zsk.results }}"
 - name: Sign zones
  command:
-    cmd: 'docker-compose exec -w /zones nsd ldns-signzone {{ item | basename }} /keys/K{{ item | basename }}.zsk /keys/K{{ item | basename }}.ksk'
+    cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk"
-    chdir: /apps/nsd
+    chdir: /etc/nsd/zones
  with_fileglob:
    - "{{ role_path }}/files/zones/*"
- name: Restart Docker Compose
+- name: Restart NSD
-  docker_compose:
+  systemd:
-    project_src: /apps/nsd
+    name: nsd
-    restarted: true
+    enabled: true
    state: reloaded