remove authoritative DNS server

README.md

@@ -9,7 +9,6 @@ The other roles are specifically for the various services we run.
 
 All services below are running under Docker, except NSD and Borg.
 
-- Authoritative DNS using [NSD](https://www.nlnetlabs.nl/projects/nsd/about/) (ns.pizzapim.nl)
 - Reverse proxy using [Traefik](https://doc.traefik.io/traefik/)
 - Git server using [Forgejo](https://forgejo.org/) ([git.pizzapim.nl](https://git.pizzapim.nl))
 - Static website using [Jekyll](https://jekyllrb.com/) ([pizzapim.nl](https://pizzapim.nl))

playbooks/all.yml

@@ -4,7 +4,6 @@
     - {role: 'ssh', tags: 'ssh'}
     - {role: 'watchtower', tags: 'watchtower'}
     - {role: 'borg', tags: 'borg'}
-    - {role: 'nsd', tags: 'nsd'}
     - {role: 'forgejo', tags: 'forgejo'}
     - {role: 'syncthing', tags: 'syncthing'}
     - {role: 'kms', tags: 'kms'}

roles/nsd/files/keys/Kgeokunis2.nl.ksk.key

@@ -1 +0,0 @@
-geokunis2.nl.	IN	DNSKEY	257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b}

roles/nsd/files/keys/Kgeokunis2.nl.ksk.private

@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-33306239336639653065343862633935396534373739613332356638343037646530333331343835
-6464303336356534653431663938383732383863366238320a663430613133363134336264343734
-31343731373239613330633935636137646133616334353565663061356566666465326261306362
-3463633863626666330a383461656632346361646365383234653963333561366463373331346539
-30633237346532633634636537663936353337353331393663363363363566663738643632363761
-66323032383862306635656130366261303161636232633561313630316537626262356532313131
-63616437633333346431303539306433613130373934393036356563316365373966346536353764
-39343038373162303933653335393432636332613038366531353432346332333936656464626536
-64633030353336616561656539313863306534633863633835333531306533313930

roles/nsd/files/keys/Kpizzapim.nl.ksk.key

@@ -1 +0,0 @@
-pizzapim.nl.	IN	DNSKEY	257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b}

roles/nsd/files/keys/Kpizzapim.nl.ksk.private

@@ -1,10 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36343534663736653462386238363734646238306365393233633530663039656335623961663131
-6436373566336464336330326438656137646536656333370a386539613239343962373562653264
-66616530343235333964343332386234666266643933393531323066666164623862633962376666
-3230333539393335630a653532396665383536633164643534303461636135653737616137313034
-33653838653538623934353631393636363937333831313036643334343261363836393235313235
-36613966343431333364336437393430653366643263643130376437663164353361633735616332
-35656666353037643739356133303064633166323535323265323134363963316566323165643165
-36656264353962346530323830623432616238653966613433616235336539396461376162316564
-61643465323165643961303639653466663961333531663133636666643437333233

roles/nsd/files/nsd.conf

@@ -1,24 +0,0 @@
-server:
-        ip-address: enp3s0
-        server-count: 1
-        verbosity: 1
-        hide-version: yes
-        zonesdir: "/etc/nsd/zones"
-        ip-transparent: yes
-        ip-freebind: yes
-
-zone:
-        name: pizzapim.nl
-        zonefile: pizzapim.nl.signed
-        provide-xfr: 87.253.155.96/27 NOKEY
-        provide-xfr: 157.97.168.160/27 NOKEY
-
-zone:
-        name: geokunis2.nl
-        zonefile: geokunis2.nl.signed
-        provide-xfr: 87.253.155.96/27 NOKEY
-        provide-xfr: 157.97.168.160/27 NOKEY
-
-zone:
-	name: pim.kunis.nl
-	zonefile: pim.kunis.nl

roles/nsd/files/zones/geokunis2.nl

@@ -1,26 +0,0 @@
-$ORIGIN geokunis2.nl.
-$TTL 60
-
-geokunis2.nl.	IN	SOA	ns.geokunis2.nl. niels.kunis.nl. 2023030500 1800 3600 1209600 3600
-			NS	ns.geokunis2.nl.
-			NS	ns0.transip.net.
-			NS	ns1.transip.nl.
-			NS	ns2.transip.eu.
-			A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
-;			MX	0 .
-;			TXT	"v=spf1 -all"
-			CAA	0 issue "letsencrypt.org"
-mail		IN	A 84.245.14.149
-			MX	10	mail.geokunis2.nl
-jenl		IN	A	217.123.41.225
-wg			IN	A	84.245.14.149
-wg			IN	AAAA	2a02:58:1:e::1afb
-wg4			IN	A	84.245.14.149
-wg6			IN	AAAA	2a02:58:1:e::1afb
-kms			IN	A	84.245.14.149
-files		IN	A	84.245.14.149
-files		IN	AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda
-_dmarc		IN	TXT	"v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
-ns			A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda

roles/nsd/files/zones/pim.kunis.nl

@@ -1,19 +0,0 @@
-$ORIGIN pim.kunis.nl.
-$TTL 60
-
-pim.kunis.nl.	IN 	SOA	ns.pim.kunis.nl. pim.kunis.nl. 2023020800 1800 3600 1209600 3600
-
-			NS	ns.pim.kunis.nl.
-			A	84.245.14.149
-			TXT	"v=spf1 ~all"
-
-_dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
-
-www		IN	A	84.245.14.149
-ns		IN	A	84.245.14.149
-
-social		IN	CNAME	www.pim.kunis.nl.
-dav		IN	CNAME	www.pim.kunis.nl.
-git		IN	CNAME	www.pim.kunis.nl.
-meet            IN      CNAME   www.pim.kunis.nl.
-rss             IN      CNAME   www.pim.kunis.nl.

roles/nsd/files/zones/pizzapim.nl

@@ -1,19 +0,0 @@
-$ORIGIN pizzapim.nl.
-$TTL 60
-
-pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023020900 1800 3600 1209600 3600
-
-			NS	ns.pizzapim.nl.
-			NS	ns0.transip.net.
-			NS	ns1.transip.nl.
-			NS	ns2.transip.eu.
-			A	84.245.14.149
-			TXT	"v=spf1 ~all"
-			CAA	0 issue "letsencrypt.org"
-
-_dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
-
-social		IN	A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
-ns		IN	A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda

roles/nsd/meta/main.yml

@@ -1,2 +0,0 @@
-dependencies:
-  - role: common

roles/nsd/tasks/main.yml

@@ -1,70 +0,0 @@
-- name: Install nsd
-  apt:
-    pkg:
-      - nsd
-      - ldnsutils
-- name: Copy nsd.conf
-  copy:
-    src: "{{ role_path }}/files/nsd.conf"
-    dest: /etc/nsd/nsd.conf
-- name: Create zones directory
-  file:
-    path: /etc/nsd/zones
-    state: directory
-- name: Copy zone files
-  copy:
-    src: "{{ role_path }}/files/zones/"
-    dest: /etc/nsd/zones
-- name: Create keys directory
-  file:
-    path: /etc/nsd/keys
-    state: directory
-- name: Copy KSK private keys
-  template:
-    src: "{{ item }}"
-    dest: "/etc/nsd/keys/{{ item | basename }}"
-  with_fileglob:
-    - "{{ role_path }}/files/keys/*.ksk.private"
-- name: Copy KSK keys
-  copy:
-    src: "{{ item }}"
-    dest: "/etc/nsd/keys/{{ item | basename }}"
-  with_fileglob:
-    - "{{ role_path }}/files/keys/*.ksk.key"
-- name: Check if ZSKs exist
-  stat:
-    path: "/etc/nsd/keys/K{{ item | basename }}.zsk.key"
-  register: zsks_exists
-  with_fileglob:
-    - "{{ role_path }}/files/zones/*"
-- name: Create ZSK
-  command:
-    cmd: "ldns-keygen -a ED25519 {{ item.item | basename }}"
-    chdir: /etc/nsd/keys
-  register: create_zsk
-  when: not item.stat.exists and (item.item | basename) in sign_zones
-  with_items: "{{ zsks_exists.results }}"
-- name: Rename ZSK key
-  command:
-    cmd: "mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
-    chdir: /etc/nsd/keys
-  when: item.changed and (item.item | basename) in sign_zones
-  with_items: "{{ create_zsk.results }}"
-- name: Rename ZSK private key
-  command:
-    cmd: "mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
-    chdir: /etc/nsd/keys
-  when: item.changed and (item.item | basename) in sign_zones
-  with_items: "{{ create_zsk.results }}"
-- name: Sign zones
-  command:
-    cmd: "ldns-signzone {{ item | basename }} /etc/nsd/keys/K{{ item | basename }}.zsk /etc/nsd/keys/K{{ item | basename }}.ksk"
-    chdir: /etc/nsd/zones
-  when: (item | basename) in sign_zones
-  with_fileglob:
-    - "{{ role_path }}/files/zones/*"
-- name: Restart NSD
-  systemd:
-    name: nsd
-    enabled: true
-    state: reloaded

roles/nsd/vars/main.yml

@@ -1,3 +0,0 @@
-sign_zones:
-  - geokunis2.nl
-  - pizzapim.nl