diff --git a/README.md b/README.md index 0a3b2aa..1a2e35f 100644 --- a/README.md +++ b/README.md @@ -4,13 +4,10 @@ ### nsd -https://github.com/The-Kube-Way/nsd -Maybe put zone files in a data directory. -KSK in ansible vault. -Then in ansible role: -- Generate ZSK if needed -- Sign role if needed -- ZSK key roll over +ZSK rollover. + +I always resign the zone, even if nothing has changed. +I could check whether the zone has changed or new keys were generated but that is kind of difficult. ### reverse proxy + certbot diff --git a/playbooks/all.yml b/playbooks/all.yml index 9d932e5..90d5952 100644 --- a/playbooks/all.yml +++ b/playbooks/all.yml @@ -4,3 +4,4 @@ - ssh - pizzeria - syncthing + - nsd diff --git a/playbooks/nsd.yml b/playbooks/nsd.yml new file mode 100644 index 0000000..242eb55 --- /dev/null +++ b/playbooks/nsd.yml @@ -0,0 +1,4 @@ +- name: Install nsd + hosts: nucs + roles: + - nsd diff --git a/roles/common/files/resolv.conf b/roles/common/files/resolv.conf new file mode 100644 index 0000000..8a9bf12 --- /dev/null +++ b/roles/common/files/resolv.conf @@ -0,0 +1,3 @@ +nameserver 1.1.1.1 +nameserver 1.0.0.1 +search lan diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 6e1b051..7e13c12 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -13,3 +13,13 @@ file: path: /apps state: directory +- name: Disable systemd-resolved + systemd: + name: systemd-resolved + enabled: false + state: stopped +- name: Copy resolv.conf + copy: + src: "{{ role_path }}/files/resolv.conf" + dest: /etc/resolv.conf + follow: true diff --git a/roles/nsd/files/docker-compose.yml b/roles/nsd/files/docker-compose.yml new file mode 100644 index 0000000..42d56dd --- /dev/null +++ b/roles/nsd/files/docker-compose.yml @@ -0,0 +1,18 @@ +version: '3.7' + +services: + nsd: + container_name: nsd + restart: always + image: ghcr.io/the-kube-way/nsd:v4.6.0 + read_only: true + tmpfs: + - /tmp + - /var/db/nsd + volumes: + - /apps/nsd/conf:/etc/nsd:ro + - /apps/nsd/zones:/zones + - /apps/nsd/keys:/keys + ports: + - 53:53 + - 53:53/udp diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key new file mode 100644 index 0000000..26bd681 --- /dev/null +++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.key @@ -0,0 +1 @@ +geokunis2.nl. IN DNSKEY 257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b} diff --git a/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private new file mode 100644 index 0000000..4b74954 --- /dev/null +++ b/roles/nsd/files/keys/Kgeokunis2.nl.ksk.private @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +33306239336639653065343862633935396534373739613332356638343037646530333331343835 +6464303336356534653431663938383732383863366238320a663430613133363134336264343734 +31343731373239613330633935636137646133616334353565663061356566666465326261306362 +3463633863626666330a383461656632346361646365383234653963333561366463373331346539 +30633237346532633634636537663936353337353331393663363363363566663738643632363761 +66323032383862306635656130366261303161636232633561313630316537626262356532313131 +63616437633333346431303539306433613130373934393036356563316365373966346536353764 +39343038373162303933653335393432636332613038366531353432346332333936656464626536 +64633030353336616561656539313863306534633863633835333531306533313930 diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.key b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key new file mode 100644 index 0000000..92f07c1 --- /dev/null +++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.key @@ -0,0 +1 @@ +pizzapim.nl. IN DNSKEY 257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b} diff --git a/roles/nsd/files/keys/Kpizzapim.nl.ksk.private b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private new file mode 100644 index 0000000..bc136ed --- /dev/null +++ b/roles/nsd/files/keys/Kpizzapim.nl.ksk.private @@ -0,0 +1,10 @@ +$ANSIBLE_VAULT;1.1;AES256 +36343534663736653462386238363734646238306365393233633530663039656335623961663131 +6436373566336464336330326438656137646536656333370a386539613239343962373562653264 +66616530343235333964343332386234666266643933393531323066666164623862633962376666 +3230333539393335630a653532396665383536633164643534303461636135653737616137313034 +33653838653538623934353631393636363937333831313036643334343261363836393235313235 +36613966343431333364336437393430653366643263643130376437663164353361633735616332 +35656666353037643739356133303064633166323535323265323134363963316566323165643165 +36656264353962346530323830623432616238653966613433616235336539396461376162316564 +61643465323165643961303639653466663961333531663133636666643437333233 diff --git a/roles/nsd/files/nsd.conf b/roles/nsd/files/nsd.conf new file mode 100644 index 0000000..151373c --- /dev/null +++ b/roles/nsd/files/nsd.conf @@ -0,0 +1,17 @@ +server: + server-count: 1 + verbosity: 1 + hide-version: yes + zonesdir: "/zones" + +zone: + name: pizzapim.nl + zonefile: pizzapim.nl.signed + provide-xfr: 87.253.155.96/27 NOKEY + provide-xfr: 157.97.168.160/27 NOKEY + +zone: + name: geokunis2.nl + zonefile: geokunis2.nl.signed + provide-xfr: 87.253.155.96/27 NOKEY + provide-xfr: 157.97.168.160/27 NOKEY diff --git a/roles/nsd/files/zones/geokunis2.nl b/roles/nsd/files/zones/geokunis2.nl new file mode 100644 index 0000000..4447d27 --- /dev/null +++ b/roles/nsd/files/zones/geokunis2.nl @@ -0,0 +1,19 @@ +$ORIGIN geokunis2.nl. +$TTL 60 + +geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2022103001 1800 3600 1209600 3600 + NS ns.geokunis2.nl. + NS ns0.transip.net. + NS ns1.transip.nl. + NS ns2.transip.eu. + A 82.197.212.198 + AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e + MX 0 . + TXT "v=spf1 -all" + CAA 0 issue "letsencrypt.org" +jenl IN A 217.123.41.225 +kms IN A 82.197.212.198 +ovh IN A 57.128.45.138 +_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject" +ns A 82.197.212.198 + AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl new file mode 100644 index 0000000..b1647f2 --- /dev/null +++ b/roles/nsd/files/zones/pizzapim.nl @@ -0,0 +1,24 @@ +$ORIGIN pizzapim.nl. +$TTL 60 + +pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2022121400 1800 3600 1209600 3600 + + NS ns.pizzapim.nl. + NS ns0.transip.net. + NS ns1.transip.nl. + NS ns2.transip.eu. + A 82.197.212.198 + AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e + TXT "v=spf1 ~all" + CAA 0 issue "letsencrypt.org" + +www IN CNAME @ +ns IN A 82.197.212.198 + AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e +_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" +cloud IN A 82.197.212.198 + AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e +social IN A 82.197.212.198 + AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e +dav IN A 82.197.212.198 + AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e diff --git a/roles/nsd/meta/main.yml b/roles/nsd/meta/main.yml new file mode 100644 index 0000000..090690b --- /dev/null +++ b/roles/nsd/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - role: common + - role: docker diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml new file mode 100644 index 0000000..b81ee47 --- /dev/null +++ b/roles/nsd/tasks/main.yml @@ -0,0 +1,87 @@ +- name: Create nsd app directory + file: + path: /apps/nsd + state: directory +- name: Create nsd configuration directory + file: + path: /apps/nsd/conf + state: directory + owner: 991 + group: 991 +- name: Copy nsd.conf + copy: + src: "{{ role_path }}/files/nsd.conf" + dest: /apps/nsd/conf/nsd.conf +- name: Create nsd zones directory + file: + path: /apps/nsd/zones + state: directory + owner: 991 + group: 991 +- name: Copy zone files + copy: + src: "{{ role_path }}/files/zones/" + dest: /apps/nsd/zones +- name: Create nsd keys directory + file: + path: /apps/nsd/keys + state: directory + owner: 991 + group: 991 +- name: Copy KSK private keys + template: + src: "{{ item }}" + dest: "/apps/nsd/keys/{{ item | basename }}" + with_fileglob: + - "{{ role_path }}/files/keys/*.ksk.private" +- name: Copy KSK keys + copy: + src: "{{ item }}" + dest: "/apps/nsd/keys/{{ item | basename }}" + with_fileglob: + - "{{ role_path }}/files/keys/*.ksk.key" +- name: Copy Docker Compose script + copy: + src: "{{ role_path }}/files/docker-compose.yml" + dest: /apps/nsd/docker-compose.yml +- name: Start Docker Compose + docker_compose: + project_src: /apps/nsd + pull: true + remove_orphans: true +- name: Check if ZSKs exist + stat: + path: "/apps/nsd/keys/K{{ item | basename }}.zsk.key" + register: zsks_exists + with_fileglob: + - "{{ role_path }}/files/zones/*" +- name: Create ZSK + command: + cmd: "docker-compose exec -w /keys nsd ldns-keygen -a ED25519 {{ item.item | basename }}" + chdir: /apps/nsd + register: create_zsk + when: not item.stat.exists + with_items: "{{ zsks_exists.results }}" +- name: Rename ZSK key + command: + cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key" + chdir: /apps/nsd + when: item.changed + with_items: "{{ create_zsk.results }}" +- name: Rename ZSK private key + command: + cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private" + chdir: /apps/nsd + when: item.changed + with_items: "{{ create_zsk.results }}" +- name: Sign zones + command: + cmd: 'docker-compose exec -w /zones nsd ldns-signzone {{ item | basename }} /keys/K{{ item | basename }}.zsk /keys/K{{ item | basename }}.ksk' + chdir: /apps/nsd + with_fileglob: + - "{{ role_path }}/files/zones/*" +- name: Restart Docker Compose + docker_compose: + project_src: /apps/nsd + restarted: true + when: create_zsk is not skipped