home/max
Archived
2
1
Fork 0
Code Issues 9 Pull requests Projects Releases Packages Wiki Activity

add nsd role

Browse source 
disable systemd-resolved
This commit is contained in:
Pim Kunis 2022-12-26 13:50:05 +01:00
parent 1eef015ee3
commit e7da26bcaa
15 changed files with 212 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
README.md
View file

@ -4,13 +4,10 @@
### nsd ### nsd
https://github.com/The-Kube-Way/nsd ZSK rollover.
Maybe put zone files in a data directory.
KSK in ansible vault. I always resign the zone, even if nothing has changed.
Then in ansible role: I could check whether the zone has changed or new keys were generated but that is kind of difficult.
- Generate ZSK if needed
- Sign role if needed
- ZSK key roll over
### reverse proxy + certbot ### reverse proxy + certbot

1
playbooks/all.yml
View file

@ -4,3 +4,4 @@
- ssh - ssh
- pizzeria - pizzeria
- syncthing - syncthing
- nsd

4
playbooks/nsd.yml Normal file
View file

@ -0,0 +1,4 @@
- name: Install nsd
hosts: nucs
roles:
- nsd

3
roles/common/files/resolv.conf Normal file
View file

@ -0,0 +1,3 @@
nameserver 1.1.1.1
nameserver 1.0.0.1
search lan

10
roles/common/tasks/main.yml
View file

@ -13,3 +13,13 @@
file: file:
path: /apps path: /apps
state: directory state: directory
- name: Disable systemd-resolved
systemd:
name: systemd-resolved
enabled: false
state: stopped
- name: Copy resolv.conf
copy:
src: "{{ role_path }}/files/resolv.conf"
dest: /etc/resolv.conf
follow: true

18
roles/nsd/files/docker-compose.yml Normal file
View file

@ -0,0 +1,18 @@
version: '3.7'
services:
nsd:
container_name: nsd
restart: always
image: ghcr.io/the-kube-way/nsd:v4.6.0
read_only: true
tmpfs:
- /tmp
- /var/db/nsd
volumes:
- /apps/nsd/conf:/etc/nsd:ro
- /apps/nsd/zones:/zones
- /apps/nsd/keys:/keys
ports:
- 53:53
- 53:53/udp

1
roles/nsd/files/keys/Kgeokunis2.nl.ksk.key Normal file
View file

@ -0,0 +1 @@
geokunis2.nl. IN DNSKEY 257 3 15 8DFshejNxv4d9ZkSRY53kEay06aOhHm77EOYNSZFp/w= ;{id = 64014 (ksk), size = 256b}

10
roles/nsd/files/keys/Kgeokunis2.nl.ksk.private Normal file
View file

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
33306239336639653065343862633935396534373739613332356638343037646530333331343835
6464303336356534653431663938383732383863366238320a663430613133363134336264343734
31343731373239613330633935636137646133616334353565663061356566666465326261306362
3463633863626666330a383461656632346361646365383234653963333561366463373331346539
30633237346532633634636537663936353337353331393663363363363566663738643632363761
66323032383862306635656130366261303161636232633561313630316537626262356532313131
63616437633333346431303539306433613130373934393036356563316365373966346536353764
39343038373162303933653335393432636332613038366531353432346332333936656464626536
64633030353336616561656539313863306534633863633835333531306533313930

1
roles/nsd/files/keys/Kpizzapim.nl.ksk.key Normal file
View file

@ -0,0 +1 @@
pizzapim.nl. IN DNSKEY 257 3 15 PL2LJmmaooqVFVIrvdFzS+X0YiEgz+fLlr7jm54nX/E= ;{id = 47515 (ksk), size = 256b}

10
roles/nsd/files/keys/Kpizzapim.nl.ksk.private Normal file
View file

@ -0,0 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
36343534663736653462386238363734646238306365393233633530663039656335623961663131
6436373566336464336330326438656137646536656333370a386539613239343962373562653264
66616530343235333964343332386234666266643933393531323066666164623862633962376666
3230333539393335630a653532396665383536633164643534303461636135653737616137313034
33653838653538623934353631393636363937333831313036643334343261363836393235313235
36613966343431333364336437393430653366643263643130376437663164353361633735616332
35656666353037643739356133303064633166323535323265323134363963316566323165643165
36656264353962346530323830623432616238653966613433616235336539396461376162316564
61643465323165643961303639653466663961333531663133636666643437333233

17
roles/nsd/files/nsd.conf Normal file
View file

@ -0,0 +1,17 @@
server:
server-count: 1
verbosity: 1
hide-version: yes
zonesdir: "/zones"
zone:
name: pizzapim.nl
zonefile: pizzapim.nl.signed
provide-xfr: 87.253.155.96/27 NOKEY
provide-xfr: 157.97.168.160/27 NOKEY
zone:
name: geokunis2.nl
zonefile: geokunis2.nl.signed
provide-xfr: 87.253.155.96/27 NOKEY
provide-xfr: 157.97.168.160/27 NOKEY

19
roles/nsd/files/zones/geokunis2.nl Normal file
View file

@ -0,0 +1,19 @@
$ORIGIN geokunis2.nl.
$TTL 60
geokunis2.nl. IN SOA ns.geokunis2.nl. niels.kunis.nl. 2022103001 1800 3600 1209600 3600
NS ns.geokunis2.nl.
NS ns0.transip.net.
NS ns1.transip.nl.
NS ns2.transip.eu.
A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
MX 0 .
TXT "v=spf1 -all"
CAA 0 issue "letsencrypt.org"
jenl IN A 217.123.41.225
kms IN A 82.197.212.198
ovh IN A 57.128.45.138
_dmarc IN TXT "v=DMARC1; p=reject; fo=0; adkim=s; aspf=s; pct=100; rf=afrf; sp=reject"
ns A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e

24
roles/nsd/files/zones/pizzapim.nl Normal file
View file

@ -0,0 +1,24 @@
$ORIGIN pizzapim.nl.
$TTL 60
pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2022121400 1800 3600 1209600 3600
NS ns.pizzapim.nl.
NS ns0.transip.net.
NS ns1.transip.nl.
NS ns2.transip.eu.
A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
TXT "v=spf1 ~all"
CAA 0 issue "letsencrypt.org"
www IN CNAME @
ns IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
_dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
cloud IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
social IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e
dav IN A 82.197.212.198
AAAA 2a02:58:19a:f730:da5e:d3ff:fe47:336e

3
roles/nsd/meta/main.yml Normal file
View file

@ -0,0 +1,3 @@
dependencies:
- role: common
- role: docker

87
roles/nsd/tasks/main.yml Normal file
View file

@ -0,0 +1,87 @@
- name: Create nsd app directory
file:
path: /apps/nsd
state: directory
- name: Create nsd configuration directory
file:
path: /apps/nsd/conf
state: directory
owner: 991
group: 991
- name: Copy nsd.conf
copy:
src: "{{ role_path }}/files/nsd.conf"
dest: /apps/nsd/conf/nsd.conf
- name: Create nsd zones directory
file:
path: /apps/nsd/zones
state: directory
owner: 991
group: 991
- name: Copy zone files
copy:
src: "{{ role_path }}/files/zones/"
dest: /apps/nsd/zones
- name: Create nsd keys directory
file:
path: /apps/nsd/keys
state: directory
owner: 991
group: 991
- name: Copy KSK private keys
template:
src: "{{ item }}"
dest: "/apps/nsd/keys/{{ item | basename }}"
with_fileglob:
- "{{ role_path }}/files/keys/*.ksk.private"
- name: Copy KSK keys
copy:
src: "{{ item }}"
dest: "/apps/nsd/keys/{{ item | basename }}"
with_fileglob:
- "{{ role_path }}/files/keys/*.ksk.key"
- name: Copy Docker Compose script
copy:
src: "{{ role_path }}/files/docker-compose.yml"
dest: /apps/nsd/docker-compose.yml
- name: Start Docker Compose
docker_compose:
project_src: /apps/nsd
pull: true
remove_orphans: true
- name: Check if ZSKs exist
stat:
path: "/apps/nsd/keys/K{{ item | basename }}.zsk.key"
register: zsks_exists
with_fileglob:
- "{{ role_path }}/files/zones/*"
- name: Create ZSK
command:
cmd: "docker-compose exec -w /keys nsd ldns-keygen -a ED25519 {{ item.item | basename }}"
chdir: /apps/nsd
register: create_zsk
when: not item.stat.exists
with_items: "{{ zsks_exists.results }}"
- name: Rename ZSK key
command:
cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.key K{{ item.item.item | basename }}.zsk.key"
chdir: /apps/nsd
when: item.changed
with_items: "{{ create_zsk.results }}"
- name: Rename ZSK private key
command:
cmd: "docker-compose exec -w /keys nsd mv {{ item.stdout }}.private K{{ item.item.item | basename }}.zsk.private"
chdir: /apps/nsd
when: item.changed
with_items: "{{ create_zsk.results }}"
- name: Sign zones
command:
cmd: 'docker-compose exec -w /zones nsd ldns-signzone {{ item | basename }} /keys/K{{ item | basename }}.zsk /keys/K{{ item | basename }}.ksk'
chdir: /apps/nsd
with_fileglob:
- "{{ role_path }}/files/zones/*"
- name: Restart Docker Compose
docker_compose:
project_src: /apps/nsd
restarted: true
when: create_zsk is not skipped