Add knot authoritative dns
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful

This commit is contained in:
Ada 2024-04-18 20:42:26 +02:00
parent 3ddcd23102
commit 30cd1289c0
Signed by: ada
GPG key ID: 6A7F898157C6DE6E
10 changed files with 151 additions and 3 deletions

View file

@ -25,3 +25,9 @@
become: true
roles:
- kea_dhcp
- name: Knot
hosts: dns-authoritative
become: true
roles:
- knot

View file

@ -0,0 +1,11 @@
---
acls:
- id: ddns
action: update
address: 10.20.0.42/32
zones:
- domain: lab.r4.pm
acl: ddns
listen_ip: 10.20.0.44

View file

@ -2,3 +2,8 @@
kresd_allow:
- 10.0.0.0/8
- 172.16.0.0/12
forward:
- zone: lab.r4.pm.
address: 10.20.0.44
ds: "lab.r4.pm. DS 61454 13 4 c510acc4a85ee8cfd93205b0cdc8d65a9e5376cf45517e5bd7db7fc836d076df688b11cf7f3a3b33a9b1011d74d00e74"

View file

@ -5,6 +5,8 @@ all:
ansible_host: 10.20.0.42
dhcp-1:
ansible_host: 10.20.0.43
authoritative-1:
ansible_host: 10.20.0.44
children:
resolver:
hosts:
@ -12,3 +14,6 @@ all:
kea-dhcp:
hosts:
dhcp-1:
dns-authoritative:
hosts:
authoritative-1:

View file

@ -0,0 +1,12 @@
$ORIGIN lab.r4.pm.
$TTL 3600
@ IN SOA knot.lab.r4.pm. admin.r4.pm. (
2024041800 ; serial number
12h ; refresh
15m ; update retry
3w ; expiry
2h ; minimum
)
@ 86400 IN NS knot.lab.r4.pm.
knot.lab.r4.pm. 86400 IN A 10.20.0.44

View file

@ -0,0 +1,15 @@
---
- name: Restart knot
ansible.builtin.service:
state: restarted
name: knot
- name: Reload knot
ansible.builtin.service:
state: reloaded
name: knot
- name: Enable knot
ansible.builtin.service:
enabled: true
name: knot

View file

@ -0,0 +1,58 @@
---
- name: Add knot pgp key
ansible.builtin.get_url:
url: https://pkg.labs.nic.cz/gpg
dest: /usr/share/keyrings/cznic-labs-pkg.gpg
mode: "0644"
validate_certs: true
checksum: sha512:e78a1404feff1040c86f4a199495e4a2cf82684b8ff22ffc318a9bffa0ddf45136e484bc17e4440660c089e1c186af77008c76fb463434611b1f60709b57ee52
changed_when: false
no_log: false
- name: Add knot repository
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns {{ ansible_distribution_release }} main"
state: present
filename: knot-dns
- name: Install knot
ansible.builtin.apt:
name: knot
notify:
- Enable knot
- Restart knot
- name: Configure knot
ansible.builtin.template:
src: knot.conf.j2
dest: /etc/knot/knot.conf
owner: knot
mode: '0640'
notify: Restart knot
- name: Allow port 53 (DNS)
community.general.ufw:
rule: allow
port: "{{ item.port }}"
proto: "{{ item.proto }}"
with_items:
- { port: "53", proto: tcp }
- { port: "53", proto: udp }
- name: Create knot zones directory
ansible.builtin.file:
path: /var/lib/knot/zones/
state: directory
mode: '0750'
owner: knot
- name: Copy zone
ansible.builtin.copy:
src: "{{ item }}"
dest: /var/lib/knot/zones/
owner: knot
mode: '0640'
with_fileglob:
- zones/*
notify: Reload knot

View file

@ -0,0 +1,32 @@
server:
rundir: "/run/knot"
user: knot:knot
automatic-acl: on
listen: [ {{ listen_ip }}@53 ]
log:
- target: syslog
any: info
database:
storage: "/var/lib/knot"
acl:
{% for acl in acls %}
- id: {{ acl.id }}
address: {{ acl.address }}
action: {{ acl.action }}
{% endfor %}
template:
- id: default
storage: "/var/lib/knot/zones"
file: "%s.zone"
dnssec-signing: on
serial-policy: dateserial
zone:
{% for zone in zones %}
- domain: {{ zone.domain }}
acl: {{ zone.acl }}
{% endfor %}

View file

@ -26,5 +26,5 @@
port: "{{ item.port }}"
proto: "{{ item.proto }}"
with_items:
- { port: "53", proto: "tcp" }
- { port: "53", proto: "udp" }
- { port: "53", proto: tcp }
- { port: "53", proto: udp }

View file

@ -22,5 +22,9 @@ view:addr('{{ prefix }}', policy.all(policy.PASS))
view:addr('0.0.0.0/0', policy.all(policy.DROP))
view:addr('::/0', policy.all(policy.DROP))
{% for zones in forward %}
policy.add(policy.suffix(policy.FORWARD('{{ zones.address }}'), {todname('{{ zones.zone }}')}))
trust_anchors.add('{{ zones.ds }}')
{% endfor %}
log_target('stdout')
log_level('debug')
log_level('info')