diff --git a/ansible.cfg b/ansible.cfg index 805406f..dd28116 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -4,3 +4,4 @@ pipelining = True vars_plugins_enabled = host_group_vars,community.sops.sops collections_path = ./ roles_path = ./galaxy-roles +interpreter_python = python3 diff --git a/inventories/chaosknoten/host_vars/auth-dns.sops.yaml b/inventories/chaosknoten/host_vars/auth-dns.sops.yaml index 1899a27..b69debc 100644 --- a/inventories/chaosknoten/host_vars/auth-dns.sops.yaml +++ b/inventories/chaosknoten/host_vars/auth-dns.sops.yaml @@ -1,4 +1,5 @@ ansible_pull__age_private_key: ENC[AES256_GCM,data:2kBG8j8JHa/dlXgWMdbSobulFdVunf052T1QQfm1X2vpEZx2HPCL87fWea+O0WOg7+eoMYbiShu0Vw1eTjb+687LjU8l4cj2JWIajnYfDGH+ipWXojxj613C3RZV3JfDOclVTwP8fCHu7z7P3fKrsKWb5d3t2ohTT+sGdVdimakAOf192CkufcVIthq2imiWbntiMTOdMGJxyIjqT2Io2H89nSbJXkONsuHCF/PbxhryB2LZbl8aZV32knk=,iv:hpscVc7iO4r/h31vS6Zno2pkEsgA2uR7wD/1PjH1znM=,tag:ypiwFtgeXuj4gOsgTCRTBw==,type:str] +knot__dnssec_key_secret: ENC[AES256_GCM,data:WPFTLyJIttFtqqTZV2fGN0Tt1vRS318TGmd2YqNzYisE3TBi6Z2aClxuYh56Q+j7TUQwCvga3jd5w017sEz3kA==,iv:umaFHBCy9AZgNFv7uXLCtO0o/NZDAZ1QNg5DcGHWEW8=,tag:oR92C1Uj5iXU9L02MqzGSQ==,type:str] sops: age: - recipient: age18zgt4y2sd75hxnpe333zz39048ctxpr0q8a3uqh3jajjkyawsdrq8yg5ve @@ -10,8 +11,8 @@ sops: MEZQTHZXNExsSnl0WW9Vb29sajE1YzAKoYU7rGuR+52+U02uf3eTH9hkIECWdcJv wN9JTwsUn0c6mi/d4AHgv5O04Uw7NxUyGVmFlDZzjxLwPzZyR73SvA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-04-29T19:21:55Z" - mac: ENC[AES256_GCM,data:RLXsIsSdrCuElYQ3x2YpwYzQx0V0zoYP6h9FLD+RqmZ1pWhlk6Ijp9WxCAlEWps9n5rPYYyhZ3ldSJluTVeroPwpzrmwW+xXCGsCC0BFk6PuB4UynfHwWR/3jEK47nAdPbNfONhzGfOeTObYp22c3iHiKL8YochOSlBToA8mFr4=,iv:fZZEa3C/BsNKGdTKlR/hexrzhmLxiMVxgL9nXjX2Q1E=,tag:I5M8SNbSw4w1crsl0z/5+Q==,type:str] + lastmodified: "2026-05-01T17:08:09Z" + mac: ENC[AES256_GCM,data:TaMWf1ESs8nYzxkElMYtsz+/Be0PtI7FA0q6IFK+ob4dl/EN+AeTD7Pp0MZF8zcRvZ4hF0Ybimet5bwVR+d7UIXlXz3qP//pX68JDCvcLMQuhNtm6Ws+mwVxkpxEvBr1PtxlSvcQ76vH3ryEsXkP84gmlCDEdX1GAZYZ9ZS3Cfk=,iv:g3tzUfTPNUQyOAxWJEFPHg0IAPAzQgwYABHm4mFOOrI=,tag:C6KE/bg/3jS7Wc56y6YOJQ==,type:str] pgp: - created_at: "2026-04-29T19:18:43Z" enc: |- diff --git a/inventories/chaosknoten/host_vars/auth-dns.yaml b/inventories/chaosknoten/host_vars/auth-dns.yaml new file mode 100644 index 0000000..970e2f8 --- /dev/null +++ b/inventories/chaosknoten/host_vars/auth-dns.yaml @@ -0,0 +1,62 @@ +--- +deploy_systemd_resolved_config__enable: false + +alloy_config_additional: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/auth-dns/alloy/knot-exporter.alloy') }}" + +knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1" +knot__remotes: + - id: ns-intern.hamburg.ccc.de + address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ] + +knot__catalog_zones: + - domain: "hamburg.ccc.de.catalog." + +knot__zones: + - domain: "hh.ccc.de." + catalog_member: "hamburg.ccc.de.catalog." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}" + + - domain: "ccchh.net." + catalog_member: "hamburg.ccc.de.catalog." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/ccchh.net.zone') }}" + + - domain: "hamburg.ccc.de." + catalog_member: "hamburg.ccc.de.catalog." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}" + + - domain: "eh20.easterhegg.eu." + catalog_member: "hamburg.ccc.de.catalog." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone') }}" + + - domain: "eh22.easterhegg.eu." + catalog_member: "hamburg.ccc.de.catalog." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}" + + - domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" + + - domain: "6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa." + notify_targets: [ "ns-intern.hamburg.ccc.de" ] + content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}" diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml index 9c28d58..0a1d845 100644 --- a/inventories/chaosknoten/host_vars/cloud.yaml +++ b/inventories/chaosknoten/host_vars/cloud.yaml @@ -1,7 +1,7 @@ # renovate: datasource=docker depName=git.hamburg.ccc.de/ccchh/oci-images/nextcloud nextcloud__version: 32 # renovate: datasource=docker depName=docker.io/library/postgres -nextcloud__postgres_version: 15.17 +nextcloud__postgres_version: 18.3 nextcloud__fqdn: cloud.hamburg.ccc.de nextcloud__data_dir: /data/nextcloud nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/cloud/nextcloud/extra_configuration.config.php.j2') }}" diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml index a6cea9b..9dab323 100644 --- a/inventories/chaosknoten/hosts.yaml +++ b/inventories/chaosknoten/hosts.yaml @@ -224,6 +224,7 @@ alloy_hosts: spaceapiccc: www2: www3: + auth-dns: infrastructure_authorized_keys_hosts: hosts: ccchoir: diff --git a/playbooks/deploy.yaml b/playbooks/deploy.yaml index e032782..a3b047b 100644 --- a/playbooks/deploy.yaml +++ b/playbooks/deploy.yaml @@ -101,3 +101,8 @@ - name: Run ensure_eh22_styleguide_dir Playbook ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml + +- name: Setup authoritative dns servers + hosts: auth-dns + roles: + - knot diff --git a/resources/chaosknoten/auth-dns/alloy/knot-exporter.alloy b/resources/chaosknoten/auth-dns/alloy/knot-exporter.alloy new file mode 100644 index 0000000..1e532a1 --- /dev/null +++ b/resources/chaosknoten/auth-dns/alloy/knot-exporter.alloy @@ -0,0 +1,6 @@ +prometheus.scrape "knot_exporter" { + targets = [ + {"__address__" = "localhost:9433", "instance" = "{{ ansible_facts['hostname'] }}"}, + ] + forward_to = [ prometheus.relabel.chaosknoten_common.receiver ] +} diff --git a/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..baacd63 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,16 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023073001 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:122::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR turing.hamburg.ccc.de. + diff --git a/resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..e06c4a2 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,43 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2025020102 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; ccchh firewall / tunnelendpunkte: +1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR fwhh.hamburg.ccc.de. + +6.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR jabber.hamburg.ccc.de. +3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns.hamburg.ccc.de. +0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR rproxy.hamburg.ccc.de. +2.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR oldturing.hamburg.ccc.de. +3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR gitlab-intern.hamburg.ccc.de. +5.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR fftest.hamburg.ccc.de. +4.1.0.0.0.0.0.0.0.0.0.0.8.4.0.0 IN PTR wiki.attraktor.org. +1.0.0.0.0.0.0.0.0.1.2.0.0.5.0.0 IN PTR lokal.ccc.de. +1.0.0.0.0.0.0.0.2.1.2.0.0.5.0.0 IN PTR eh20.hamburg.ccc.de. +1.0.0.0.0.0.0.0.3.1.2.0.0.5.0.0 IN PTR cryptoparty.hamburg.ccc.de. + +1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0 IN PTR shellhost.hamburg.ccc.de. + +1.0.0.0.0.0.0.0.0.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de. +1.0.0.0.0.0.0.0.1.3.1.0.1.5.0.0 IN PTR cms.hamburg.ccc.de. +1.0.0.0.0.0.0.0.2.3.1.0.1.5.0.0 IN PTR lists.hamburg.ccc.de. +1.0.0.0.0.0.0.0.3.3.1.0.1.5.0.0 IN PTR cow.hamburg.ccc.de. +1.0.0.0.0.0.0.0.4.3.1.0.1.5.0.0 IN PTR srv01.hamburg.freifunk.net. +1.0.0.0.0.0.0.0.5.3.1.0.1.5.0.0 IN PTR fftest.hamburg.ccc.de. +1.0.0.0.0.0.0.0.6.3.1.0.1.5.0.0 IN PTR git.hamburg.ccc.de. +1.0.0.0.0.0.0.0.7.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de. +1.0.0.0.0.0.0.0.8.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de. +1.0.0.0.0.0.0.0.9.3.1.0.1.5.0.0 IN PTR jitsi.hamburg.ccc.de. +1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0 IN PTR shells.hamburg.ccc.de. +1.0.0.0.0.0.0.0.1.4.1.0.1.5.0.0 IN PTR mumble.hamburg.ccc.de. +1.0.0.0.0.0.0.0.2.4.1.0.1.5.0.0 IN PTR regio-stage.hamburg.ccc.de. +1.0.0.0.0.0.0.0.4.0.2.0.1.5.0.0 IN PTR eh22hub.hamburg.ccc.de. +1.0.0.0.0.0.0.0.5.0.2.0.1.5.0.0 IN PTR eh22hub-meta.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..6972a51 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023072900 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:123::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..a43bc06 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023072900 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:124::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..b03dcc7 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2023072900 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:125::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR public-reverse-proxy.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone b/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone new file mode 100644 index 0000000..3de9e09 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone @@ -0,0 +1,15 @@ +$TTL 7200 + +@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. ( + 2023073001 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +; 2a00:14b0:4200:3000:126::1 + +1.0.0.0.0.0.0.0.0.0.0.0 IN PTR chaosknoten.hamburg.ccc.de. diff --git a/resources/chaosknoten/auth-dns/zones/ccchh.net.zone b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone new file mode 100644 index 0000000..40d4c94 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/ccchh.net.zone @@ -0,0 +1,73 @@ +$ORIGIN . +$TTL 900 ; 15 minutes +ccchh.net IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2026042801 ; serial + 86400 ; refresh (1 day) + 7200 ; retry (2 hours) + 3600000 ; expire (5 weeks 6 days 16 hours) + 7200 ; minimum (2 hours) + ) + NS auth-dns.hamburg.ccc.de. + NS ns.vie.ccc.de. + +$ORIGIN ccchh.net. +aes A 212.12.48.125 +club-assistant AAAA 2a07:c481:1:d0::a +;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de +club-assistant.z9 AAAA 2a07:c481:1:d0::a +;_acme-challenge.club-assistant.z9 CNAME 0efa74d1-7dcd-478b-bdc5-5b76d0f07642.auth.acmedns.hamburg.ccc.de +esphome AAAA 2a07:c481:1:d0::66 +esphome.z9 AAAA 2a07:c481:1:d0::66 +zigbee2mqtt A 185.161.129.132 +light AAAA 2a07:c481:1:d0::16 +_acme-challenge.light CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de. +light.z9 AAAA 2a07:c481:1:d0::16 +_acme-challenge.light.z9 CNAME 3bc9e7ce-03dd-4533-a059-b5d38407eaa5.auth.acmedns.hamburg.ccc.de. +light-werkstatt AAAA 2a07:c481:1:d0::16 +_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de. +mailserver-endpoint A 82.165.121.46 +ns1 A 185.161.129.133 +send-only-mail MX 10 send-only-mailserver + TXT "v=spf1 mx -all" +send-only-mailserver A 82.165.121.46 +send-only-mailserver-access A 185.161.129.132 +thinkcccore0 AAAA 2a07:c481:1:f2::3 +thinkcccore0.z9 AAAA 2a07:c481:1:f2::3 +thinkcccore1 AAAA 2a07:c481:1:f2::4 +thinkcccore1.z9 AAAA 2a07:c481:1:f2::4 +opnsense AAAA 2a07:c481:1:f2::1 +opnsense.z9 AAAA 2a07:c481:1:f2::1 +pbs AAAA 2a07:c481:1:f2::4 +thinkcccore2 AAAA 2a07:c481:1:f2::5 +thinkcccore2.z9 AAAA 2a07:c481:1:f2::5 +thinkcccore3 AAAA 2a07:c481:1:f2::6 +thinkcccore3.z9 AAAA 2a07:c481:1:f2::6 +miniscccore0 AAAA 2a07:c481:1:f2::9 +miniscccore0.z9 AAAA 2a07:c481:1:f2::9 +uptime-kuma A 185.161.129.132 +status AAAA 2a07:c481:1:ce::a +status.z9 AAAA 2a07:c481:1:ce::a +wiki A 212.12.48.125 +hmdooris-ccu A 10.31.208.202 +buba A 10.31.211.137 +buba.z9 A 10.31.211.137 +dooris AAAA 2a07:c481:1:d0::1c +_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de +waybackproxy A 10.31.208.99 +yate A 10.31.208.12 +staubiv2 A 10.31.210.233 +staubiv2.z9 A 10.31.210.233 +; Mail: hosts.z9.ccchh.net +hosts.z9 MX 10 cow.hamburg.ccc.de + TXT "v=spf1 mx -all" +dkim._domainkey.hosts.z9 TXT ("v=DKIM1;k=rsa;t=s;s=email;" + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsdypQ/tlrzto5KVP" + "5o7tEblXK/hOVRFB683uODzo26XTFMSRGjumMuo/tej59GMePdUu0uIsdq8hfj8" + "ot0R2OQNazdyp4NW4TUWfFGJ4S2f6LR3lE3I5Lw7fHiYHz0GnCGTqZIItkHK+xQ" + "i5Fdhwd1YbFJtO0XiZ0jY5w6pvny6pEH8WaKX85rEmz2zqCtpiYPRPmoK/Tn+rV" + "2e8fVioMRm9W8E4PU42WLds66qOkFR0KjKIavE6y7JahESEoVGcVnSPdtMOX0Ln" + "KbSMQNrTvNbBoPdLYvNaXOw7TmVPKjDV+FRCIIdK+m0fL82/vm5jPBvDr5+WlM1" + "xV/P/KlSnQIDAQAB") +$ORIGIN send-only-mail.ccchh.net. +_dmarc TXT "v=DMARC1;p=quarantine;" +key._domainkey TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqduM4+SQ+IQ2uAxbjFkd+0hAjohTgT3nM76jyrWGHJ8TizNU2PGkta0NjCq+m9VLBZUjIJphW2vrnlJsnN0JkGAdoLBL3Qs0kShT6V+xsxslZG2KHApihnJUp34tPSMES+aTnD+jEPGyxFLeoiK+3gywNhCGalHSQ+G88Z2n59wIDAQAB" diff --git a/resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone b/resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone new file mode 100644 index 0000000..2820b68 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone @@ -0,0 +1,27 @@ +$TTL 7200 + +@ IN SOA auth-intern.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2025021101 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + + IN MX 5 nomail.ccc.de. + ;IN MX 10 local-mail.hamburg.ccc.de. + IN MX 10 vworker02.irz42.net. + IN MX 23 nomail2.ccc.de. + IN MX 42 nomail3.ccc.de. + + IN TXT "v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all" + + IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 + +localhost IN A 127.0.0.1 + +* IN CNAME @ +www IN CNAME @ diff --git a/resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone b/resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone new file mode 100644 index 0000000..32d9d04 --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone @@ -0,0 +1,45 @@ +$TTL 600 + +@ IN SOA ns.hamburg.ccc.de. mail.hamburg.ccc.de. ( + 2026033101 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS auth-dns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + + IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 + + IN MX 10 cow.hamburg.ccc.de. +;autodiscover IN CNAME cow.hamburg.ccc.de. +;_autodiscover._tcp IN SRV 10 cow.hamburg.ccc.de. 443 +;autoconfig IN CNAME cow.hamburg.ccc.de + + IN TXT "v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all" +;_dmarc IN TXT **TODO** + +dkim._domainkey IN TXT ( "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhk" + "iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqoWo7mbis3REqBURP3ZQZwOY7RSsS7" + "TY9eFHvW/O83YseEHoIQmeKkHj1lRrP+6Jhow2XngveBzt/m5AQclLVMURt5" + "2zsLCtiXxOYMLIIAgFOfxGjMdfqh9+X0wuOqHgoZiP2uBfAWLKfV/CZcovI/" + "0d2d7vQvc+7PJwZ9htoIu3NesasOFsrhv1yfFJidC87focQdaVKfD9cF68/w" + "2Ri2TGzcSQHAiIxJq3MgawSJZiyVD+psZdzZDB1YIw8NJxmDskzFicTLrYyH" + "8XOf5f5lOWjRYrfe0H8sAe1NBb/OP2T7Qs3S9DQosMSPwyALC3FPZKsVMbtI" + "mr8F+J+M/H9QIDAQAB" ) + +localhost IN A 127.0.0.1 + +intern IN A 172.31.17.212 +cfp IN CNAME public-reverse-proxy.hamburg.ccc.de. +_acme-challenge.cfp CNAME 295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns.hamburg.ccc.de. +netbox IN CNAME public-reverse-proxy.hamburg.ccc.de. +presale IN A 78.47.203.122 + IN AAAA 2a01:4f8:1c17:b147::2 +pretix IN A 78.47.203.122 + IN AAAA 2a01:4f8:1c17:b147::2 +engel IN A 167.235.129.15 + IN AAAA 2a01:4f8:1c1b:e967::1 +radius IN A 94.45.254.130 diff --git a/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone new file mode 100644 index 0000000..21a8d0e --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone @@ -0,0 +1,520 @@ +; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr +; verwendet, sondern statt dessen local-mail.hamburg.ccc.de +; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de +; angesprochen, und nimmt daher keine mails mit absender-adressen +; die sie nicht kennt an. +; ich hoffe diese aenderung arbeitet um diesen bug herum. +; - haegar 2001.11.14 + +$TTL 7200 +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2026042903 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS ns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + +$TTL 60 + IN MX 10 cow.hamburg.ccc.de. +; IN MX 10 local-mail.hamburg.ccc.de. +$TTL 7200 + IN TXT "v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all" + + IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 + +dkim._domainkey IN TXT ("v=DKIM1;k=rsa;t=s;s=email;" + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4wZRajtsQTrVgXco7" + "1E2T+UDRxzzXJ+0F7m1UHiPpsjGQJ4Njs4Zc6qC21FLxhUIRFURy9mZ2mGk6hnL" + "w6wi0xm0N3MOH8BG/omPfWJcH4C1XXMk6trYSjhKQb4FzNbusAFoldIdwtt/aa/" + "GJBvRD+XYulvuyqolD2SGY62tAiXqls4ik2ZiDrIv+Dglg8b8fD4kzqe/aXlUvD" + "j3hCMHmyjE8mn8lYnS0QfSnV8NlqKwOhF+iwqfrhMI2bZFCQ+td03RtQjaXw5W+" + "30NMcOv6Se4vPDl4nUIBJZ/wP3CBz1k66VShHB+un7SxoUQuW0+oDqN4QHH338b" + "2dDOoBJndwIDAQAB") +_dmarc IN TXT "v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarc-report@hamburg.ccc.de;ruf=mailto:dmarc-report@hamburg.ccc.de;ri=86400;aspf=r;adkim=r;fo=1" + + +localhost IN A 127.0.0.1 + +dante._domainkey IN TXT ("v=DKIM1;k=rsa;t=s;s=email;" + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzMLFoEXbD/IgP6TIz2KDZudbnYtcJ4QjdWiwEP5NMvugymzDCiLaKTwNUFycKA1TvW0Y7/x0EEgqcSjfV87GU8xs6qsArgbQWBCs9gPBInbA8LBX9RN/JX30pESh+jGfdNWl7mWkkyVuONUgy/vFHWswJZ72Lg96gyBBCAR1ABC7qM8PYjoFFlRR76PfZNV8YHRBM/1ypQthtjPf" + "NKhV8MksNIXPKhcQwy6/JAVpkUunVpOrsuf2K6RFVMrVNUEtEYkpZUPtnoTYwaB0rRLg0f+InHzKZx2uv6JexyWZOwxsv8Bv1I+jdiEkQMw9kORZ81sv2mcUO+0PubeYVpvWAwIDAQAB" ) +hansenerd._domainkey IN TXT ("v=DKIM1; k=rsa; " + "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlxTgmc5Fe2aQc5razQYlk3OBGNePuevJQ7YVp5j5IM0ukBLM1erTR6DLZZvoGd2puKvfjlvejR3GRY4YXeZkCJoS0ZjwpR3Tfy8PzUbPNMt5e/buHGK1v+9E9zrl4vrxgYYYlYqjl1HF1K9oE5yPI1AIeUxzZpduheJASlxr9VwIDAQAB" ) ; + + +; Proxmox Host: +chaosknoten IN A 212.12.48.126 + IN AAAA 2a00:14b0:4200:3000::126:1 +;chaosknoten-ipmi IN A 212.12.51.137; unused public IP +chaosknoten-ipmi IN A 44.128.124.4 + +; DMZ-Server: +dmz-net IN A 212.12.50.208 + +turing IN A 212.12.48.122 + IN AAAA 2a00:14b0:4200:3000:122::1 + IN MX 10 cow.hamburg.ccc.de. +turing-chaosvpn IN AAAA 2001:6f8:126f:11::3 + IN A 172.31.17.1 +turing-vpn IN CNAME turing-chaosvpn +turing-vpngw IN A 212.12.48.122 + IN AAAA 2a00:14b0:4200:3000:122::1 +turing-vzhost IN A 172.31.17.1 + IN AAAA 2a00:14b0:4200:3000:122::1 + IN MX 10 cow.hamburg.ccc.de. +turing-vzhost2 IN CNAME turing-vzhost +turing-router IN A 172.31.17.129 + +turing-new IN A 172.31.17.132 + +oldturing IN A 172.31.17.122 + IN AAAA 2a00:14b0:f000:23::122 + IN MX 10 cow.hamburg.ccc.de. +turing-intern IN CNAME oldturing +turing-intern2 IN A 172.31.17.142 + IN AAAA 2a00:14b0:f000:23::122 + +ns IN A 212.12.48.122 + IN AAAA 2a00:14b0:f000:23::53 + IN MX 10 cow.hamburg.ccc.de. +ns-intern IN A 172.31.17.53 + IN AAAA 2a00:14b0:f000:23::53 +ns-intern2 IN A 172.31.17.153 + IN AAAA 2a00:14b0:f000:23::53 + +vpn IN A 212.12.48.122 + ; ipv4 only! +www.vpn IN CNAME vpn +cvpn-dns IN A 172.31.0.5 +chaosvpn-dns IN A 172.31.17.136 + +turing-db IN A 172.31.17.135 + IN MX 10 cow.hamburg.ccc.de. + +gitlab IN A 212.12.48.122 + IN AAAA 2a00:14b0:4200:3000:122::1 + ; ipv6 also has DNAT rules +gitlab-intern IN A 172.31.17.133 + IN AAAA 2a00:14b0:f000:23::133 + IN MX 5 nomail.ccc.de. + IN MX 10 cow.hamburg.ccc.de. + +gitlab-cr IN CNAME gitlab + +gitlab-test IN A 212.12.48.122 + IN AAAA 2a00:14b0:4200:3000:122::1 + ; ipv6 also has DNAT rules +gitlab-test-intern IN A 172.31.17.138 + IN AAAA 2a00:14b0:f000:23::138 + IN MX 5 nomail.ccc.de. + IN MX 10 cow.hamburg.ccc.de. + +gitlab-runner IN A 172.31.17.139 + IN MX 5 nomail.ccc.de. + IN MX 10 cow.hamburg.ccc.de. + +lists IN A 212.12.51.132 + IN AAAA 2a00:14b0:f000:23:51:132:0:1 + IN MX 10 lists + IN TXT "v=spf1 mx -all" +dkim._domainkey.lists IN TXT ("v=DKIM1; h=sha256; k=rsa; " + "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvNlbGPBluV3q3eT1C6nJ" + "8KuSNAx9ycTO0urNkz4In1I2srmK8qPTfqfPU7y5kjHM1oC31+LwVNiyzeIQl" + "cdW00DMTHfzkQAjtdDXgKG5db4Dqw+2wtZfLGvBFOSfV0RspZmSDSN6ON81dk" + "lVABMMOA7Vd8wwIj0ms/gb/+AB0IQIDAQAB" ) +ccchoir-intern IN A 172.31.17.156 + +cow IN A 212.12.51.133 + IN AAAA 2a00:14b0:f000:23:51:133:0:1 + IN MX 10 cow +cow-intern IN A 172.31.17.201 +auth-dns IN A 212.12.48.124 +auth-dns IN AAAA 2a00:14b0:4200:3000:124::1 + +cowtest IN MX 10 cow + IN TXT "v=spf1 mx -all" +dkim._domainkey.cowtest IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p=" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy5aAMRgFdGdG+Ewmn" + "OZb8gdCjSSoFjTxu/GW9edVWU0zsRRQT9r6oF82Cn05jEKNra3D8tE48jBaDQ" + "GOAFa4BgjxiIfP/D36CaN2JT5sno3faSBkqaKoBG0zRD2UsNj/ROfHB844BOf" + "AUt4KFMMHUfO03Gu6ps9nq/QBsrR5Iq6sMv9WiftKjh4twS4S+Wz7ZXymY3yd" + "jRLI8r48pASg6IoiByV8kR3r7OZw9dzmNgbTCOEyKaicB4KJDjgJvQut8af8g" + "sYQYTCSPVqkwb5Y+yJNKhQmsYBwUX23x5Yng2gDBY/pjGeWl28SxdGhm8C23a" + "0wVCz4kQGNvcULnrzifwIDAQAB") +_autodiscover._tcp.cowtest IN SRV 0 1 443 cow +_caldavs._tcp.cowtest IN SRV 0 1 443 cow +_caldavs._tcp.cowtest IN TXT "path=/SOGo/dav/" +_carddavs._tcp.cowtest IN SRV 0 1 443 cow +_carddavs._tcp.cowtest IN TXT "path=/SOGo/dav/" +_imap._tcp.cowtest IN SRV 0 1 143 cow +_imaps._tcp.cowtest IN SRV 0 1 993 cow +_pop3._tcp.cowtest IN SRV 0 1 110 cow +_pop3s._tcp.cowtest IN SRV 0 1 995 cow +_sieve._tcp.cowtest IN SRV 0 1 4190 cow +_smtps._tcp.cowtest IN SRV 0 1 465 cow +_submission._tcp.cowtest IN SRV 0 1 587 cow + + +mail IN A 212.12.48.122 + IN MX 10 cow.hamburg.ccc.de. +local-mail IN A 172.31.17.201 ; make hosts with relayhost=local-mail work +;local-mail IN A 212.12.48.122 +; IN AAAA 2a00:14b0:f000:23::122 +; IN MX 10 cow.hamburg.ccc.de. + +jitsi-old IN A 49.12.8.103 + IN AAAA 2a01:4f8:c17:392f::1 +jitsi IN A 212.12.51.139 + IN AAAA 2a00:14b0:f000:23:51:139:0:1 + +mumble IN A 212.12.51.141 + IN AAAA 2a00:14b0:f000:23:51:141:0:1 + + +id IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +keycloak-admin IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +invite IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +id IN MX 10 cow + IN TXT "v=spf1 mx -all" +dkim._domainkey.id IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p=" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6wcQjo7qgb1CMOv5" + "6odc7Ef8rocu3bv3JKBIqL/msuoEFOiXGpPZrwcWQJc7lS5tLTxR5XuP02D3D" + "Vif+8D3R8YzLsNMdLZ5moQacdJK2OFFiet2G3kWjBdKH1em9FwMa0MBWlk6LR" + "YWRgsByFBMNIItwkBmqmNrmrPRneRprLYQCf34McDmkzpzUpFdF5sgmbmDpdX" + "genmqXgBopvmnTeXa+kQnoVgrMyWE41zdWaXrDAtoYye3e31j0Nxhnfg+I7vO" + "XPfmatTH7yieDaLG+3kHjbA3WFyAkb/ZAqZaFM8k6cQJEZb7jDzdKlm1fuPrk" + "YUrfZ1V3pglzdm0QbM4wIDAQAB") + +matrix-intern IN A 172.31.17.150 +; have this for compatibility (like references in CI) +public-web-static-intern IN AAAA 2a00:14b0:42:102::17 +git-intern IN A 172.31.17.154 +woodpecker-intern IN A 172.31.17.160 +penpot-intern IN A 172.31.17.162 +forgejo-runner-builder IN A 172.31.17.202 +renovate-forgejo IN A 172.31.17.163 +status IN AAAA 2a00:14b0:f001:100::fd +status IN A 212.12.50.253 +design IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 + IN MX 10 cow + IN TXT "v=spf1 mx -all" +dkim._domainkey.design IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p=" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtod7q+mkIcZFe512v" + "jzXF0UfGmo8R6UxeJ/MCi/qjjN+sSqn4dohQx3NBhK3UF9/8Ze7FT5znTxeWj" + "Ks+le/dSS4CKxjSFAV1FjcaAqrUaxO1V8+fxcUSVzAQZXUVyNqqv+SAFUVJSE" + "3zZIuJim4F1HVVLvwbLJZ450ns8KQ7n3RNY2+mqQoxo8xmMg2QFOoQKlSYspC" + "TRTV4LM/n5Jm7Mm1F5DwJ+7Ie9s/WvTWKKKUExmoa5SNheGcfybC+sqnJu7L0" + "F5dWFwk0zzQDcVSY2m9qFWPEuO2fZmiB4IoG4yXkooSY2sH9Z8eX2+6i3k/ub" + "qx58Mav6VlkTxsOAdbbQIDAQAB") +regio-stage IN A 212.12.51.142 + AAAA 2a00:14b0:f000:23:51:142:0:1 + +public-reverse-proxy IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +public-reverse-proxy-intern IN A 172.31.17.140 +router IN A 212.12.48.123 + +rproxy IN A 212.12.48.122 + IN AAAA 2a00:14b0:4200:3000:122::1 + IN MX 10 cow.hamburg.ccc.de. +rproxy-intern IN A 172.31.17.180 + IN AAAA 2a00:14b0:f000:23::80 + IN MX 10 cow.hamburg.ccc.de. + +bildungsurlaub IN CNAME rproxy +doku IN CNAME rproxy +test IN CNAME rproxy +www.test IN CNAME rproxy +eh2003 IN CNAME public-reverse-proxy +www.eh2003 IN CNAME public-reverse-proxy +easterhegg2003 IN CNAME public-reverse-proxy +www.easterhegg2003 IN CNAME public-reverse-proxy +eh2005 IN CNAME public-reverse-proxy +www.eh2005 IN CNAME public-reverse-proxy +easterhegg2005 IN CNAME public-reverse-proxy +www.easterhegg2005 IN CNAME public-reverse-proxy +eh2007 IN CNAME public-reverse-proxy +www.eh2007 IN CNAME public-reverse-proxy +eh07 IN CNAME public-reverse-proxy +www.eh07 IN CNAME public-reverse-proxy +easterhegg2007 IN CNAME public-reverse-proxy +www.easterhegg2007 IN CNAME public-reverse-proxy +eh2009 IN CNAME public-reverse-proxy +www.eh2009 IN CNAME public-reverse-proxy +eh09 IN CNAME public-reverse-proxy +www.eh09 IN CNAME public-reverse-proxy +easterhegg2009 IN CNAME public-reverse-proxy +www.easterhegg2009 IN CNAME public-reverse-proxy +eh2011 IN CNAME public-reverse-proxy +www.eh2011 IN CNAME public-reverse-proxy +eh11 IN CNAME public-reverse-proxy +www.eh11 IN CNAME public-reverse-proxy +easterhegg2011 IN CNAME public-reverse-proxy +www.easterhegg2011 IN CNAME public-reverse-proxy +eh20 IN CNAME public-reverse-proxy + +oldwiki IN CNAME rproxy +nonpublic.wiki IN CNAME rproxy +www.nonpublic.wiki IN CNAME rproxy +planet IN CNAME rproxy +www.planet IN CNAME rproxy +chaos-macht-schule IN CNAME rproxy +www.chaos-macht-schule IN CNAME rproxy + +branding-resources IN CNAME public-reverse-proxy +element IN CNAME public-reverse-proxy +matrix IN CNAME public-reverse-proxy +mas IN CNAME public-reverse-proxy +element-admin IN CNAME public-reverse-proxy +netbox IN CNAME public-reverse-proxy +woodpecker IN CNAME public-reverse-proxy +onlyoffice IN CNAME public-reverse-proxy +pad IN CNAME public-reverse-proxy +pretalx IN CNAME public-reverse-proxy +spaceapi IN CNAME public-reverse-proxy +staging IN CNAME public-reverse-proxy +wiki IN CNAME public-reverse-proxy +www IN CNAME public-reverse-proxy +ntfy IN CNAME public-reverse-proxy +sunders IN CNAME public-reverse-proxy +spaceapiccc IN CNAME public-reverse-proxy +acmedns IN CNAME public-reverse-proxy +cpuccc IN CNAME public-reverse-proxy +did IN CNAME public-reverse-proxy + + +auth.acmedns IN NS acmedns.hosts.hamburg.ccc.de. + +git IN A 212.12.51.136 + IN AAAA 2a00:14b0:f000:23:51:136::1 +git IN MX 10 cow + IN TXT "v=spf1 mx -all" +dkim._domainkey.git IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p=" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsUGmKDns/qokxyz2u" + "lcyKIcs/S+zf+0wHCfhSOK4lLnws8U/wIny5FAW3zM/7TliqIftzZ2B0Cz8W6" + "YvmtgLyKqBzvCSG0dNYyy9TVeGM4HyrmLBbUkQdGGQwmoJTnCe9gT9z6GO9k2" + "uFfHJsk/iffU75x9iXqLXPGL/CGmLKuBmkYGda2rQ9ATUIpQhIxnerZvVc3RA" + "qwD8/pYvMLOqvCStVHM5Zi+j1Jr0BC8mxU8pIY6rfOVt+h/V3wh0F6dL0z9nw" + "ZhDE53K8frGp2CC5dW/A37FrfMJv+ODw2tX8EdyL2hDBshBQ4r8WiYJTtIMPL" + "50A9UzZndyiLAHoeLrZQIDAQAB") +hackertours IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 + MX 10 cow.hamburg.ccc.de. + IN TXT "v=spf1 mx -all" +dkim._domainkey.hackertours IN TXT ("v=DKIM1;k=rsa;t=s;s=email;" + "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnG5J6rMvbOy7mmV4mKfN" + "7SSrtxKP/jI0XWwO2njO3jM6DkAGDpmRH69B5sOW/53/yg7MMdGytGfNAk61YJknP+" + "NGZNSk7F2p2aB+zoksLVcIKdY1YwicYS7l6Q7qWBfv8ctmGTzcwO0UEAizD6xdINN8" + "YmhHorgnxR3HbHeUmaxIe4WM2wWRYiD+9tpY1f0O/NEEoHxmFecRhU9SVmuhLgiOyF" + "AWpPYBMOsKEHoKREENc+4VBj6H2GYTKIs+dYKDNEmVVdnRkgtAVO3FrjCkedBJ7RbR" + "RNHIqdt9u8AF+Vrs1Oq72ZQrNVR0ezEyBScJaxy5JphvBWkMSYSoDpvXLwIDAQAB") +staging.hackertours IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +grafana IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +tickets IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +zammad IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 + +loki IN CNAME grafana.hosts +metrics IN CNAME grafana.hosts + + +; chaos macht schule server +cms IN A 212.12.51.131 +www.cms IN CNAME cms +schule IN CNAME cms +www.schule IN CNAME cms + +; Firewall: +ovpn IN A 212.12.48.122 +fwhh-v6 IN A 212.12.50.214 + +; (irc) nat ip +chaoscafe IN A 212.12.50.209 + +cloud IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 +cloud IN MX 10 cow + IN TXT "v=spf1 mx -all" +dkim._domainkey.cloud IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p=" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvr7XIfOFt99cdEKeP" + "Qhz7miwN2tIZF+imJ3p/r/kam0TKN5pbRMDK0HH4Jl8ksBDozXrLo+U71TX+m" + "XBBeNca4QSfmJh6cAesibf4v/6ssGBdQR7efc2b3dFvZS5/qdS7oLYqYbGpuv" + "aUB0gzhatrAR0i6HdtXrsJxGemda4WvZXaPLPwcWByHLZsHQUbaD3doZOJGXI" + "7+HQs9BuDo4PKQs1/mE5BEWQ0ISEKZ4bk1p8U0ZsfcdQ8o9X53Tj+JxvJHgxi" + "h7yHMr4y9hCOAkvZTFZ/Z/r3KU+N+t9NrVYm995KEernSxE3MXYIsdaFKBDvX" + "Xq837yzJmv7D9S9We3YwIDAQAB") +; Mail: hosts.hamburg.ccc.de +hosts IN MX 10 cow + IN TXT "v=spf1 mx -all" +dkim._domainkey.hosts IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p=" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyFnskyCW0420D+5PA" + "L6cKmPoZR2nrPaMPiJl0+DbDhnsLdXtt3cKZkAin2GYQRvZJvlcJ3JFkFljmQ" + "sZk7BJ02rV7S79DgeFhKMzjE0p/GaMBSdzDZJQEVkKhEK+KBbSfaZ0FM/4Qh0" + "beI26kBgbR6bc+SGdB7+LB2JLPxr5ipP0gJ7RtE+QWIoDaU0e9dSYhucJ4A4k" + "RMs3ECvcCVgsyhRPJahs8tzbKjhnp956ru6Jda3Yo/ubhy4AztP/7ZQayCv/W" + "06PfZNo/i2711F98L2ATQaDsOCKWhpskyrCRcR1nTWNSL7qYhOPD1hZonsd5I" + "f5WwrR4meWD3wmXbX29wIDAQAB") +; Mail: hosts-external.hamburg.ccc.de +external-hosts IN MX 10 cow + IN TXT "v=spf1 mx -all" +dkim._domainkey.external-hosts IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p=" + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkfdJvL7Tpdw6JLkuU" + "nOLwtxojWZ5Xq6rLDK3EzrX2Tyeq03nqgQuI3ruHgodHb1D7sieU61x30+g7y" + "8HnjrN1bfH1iQJUzEOCgOWHwQEbLdbQxcazmbEdowBuA0VuYrXL2tcCFJwdcZ" + "MKZAyuba7leeRgSngZJnesT7aaGvZSuzLa1/KaW4MRbOOmy5LlukBC3EZBpWn" + "/dL73spDajlDx4VRMUpZQq/PAoPPwCFdw/HNnzxBYBIdVloeJx91qBRaNyUIb" + "C/to8YSDVi2aMHiXhTBfoNd1VcxjlBYWqEZtdUhecUjwmbbAO4f0ECO4bs0Yz" + "d/EgJB70ry1quA0MqgZQIDAQAB") + +; for thw: +orga IN A 212.12.51.130 + IN MX 23 nomail.ccc.de. + IN MX 42 orga + +shellhost IN A 212.12.51.140 + IN AAAA 2a00:14b0:f000:23:51:140:0:1 + IN MX 5 nomail.ccc.de. + IN MX 10 cow.hamburg.ccc.de. +shells IN CNAME shellhost + +; chaos vpn-hub on haegars hetzner machine +vpnhub1 IN A 136.243.3.60 + IN MX 5 nomail.ccc.de. + IN MX 10 mail.sdinet.de. +vpnhub1.ipv4 IN A 136.243.3.60 +vpnhub1-intern IN A 172.31.2.1 + +; special +ccchh IN MX 5 nomail.ccc.de. + IN MX 10 cow.hamburg.ccc.de. + +office IN CNAME office.hh.ccc.de. +officemail IN CNAME officemail.hh.ccc.de. + +template IN A 172.31.17.199 + IN AAAA 2a00:14b0:f000:23::199 + IN MX 10 cow.hamburg.ccc.de. + +irc IN A 176.56.239.136 + IN AAAA 2a00:d880:8:1::1aa + IN MX 5 nomail.ccc.de. + +cryptoparty IN CNAME public-reverse-proxy +staging.cryptoparty IN CNAME public-reverse-proxy + +; Freifunk Gateways +freifunk-gw01 IN CNAME gw01.hamburg.freifunk.net. +freifunk-gw02 IN CNAME gw02.hamburg.freifunk.net. +freifunk-gw03 IN CNAME gw03.hamburg.freifunk.net. +freifunk-gw04 IN CNAME gw04.hamburg.freifunk.net. +freifunk-gw05 IN CNAME gw05.hamburg.freifunk.net. +freifunk-gw06 IN CNAME gw06.hamburg.freifunk.net. +freifunk-gw07 IN CNAME gw07.hamburg.freifunk.net. +freifunk-gw08 IN CNAME gw08.hamburg.freifunk.net. +freifunk-gw09 IN CNAME gw09.hamburg.freifunk.net. +freifunk-gw10 IN CNAME gw10.hamburg.freifunk.net. +freifunk-gw11 IN CNAME gw11.hamburg.freifunk.net. +freifunk-gw12 IN CNAME gw12.hamburg.freifunk.net. +freifunk-gw13 IN CNAME gw13.hamburg.freifunk.net. +freifunk-gw14 IN CNAME gw14.hamburg.freifunk.net. +freifunk-gw15 IN CNAME gw15.hamburg.freifunk.net. +freifunk-gw16 IN CNAME gw16.hamburg.freifunk.net. +freifunk-gw17 IN CNAME gw17.hamburg.freifunk.net. +freifunk-gw18 IN CNAME gw18.hamburg.freifunk.net. +freifunk-gw19 IN CNAME gw19.hamburg.freifunk.net. +freifunk-gw20 IN CNAME gw20.hamburg.freifunk.net. + +fftest IN A 212.12.51.135 + IN AAAA 2a00:14b0:f000:23::135 + +; Shellbordell +colossus IN A 212.12.51.133 + +; generic aliases +LAN-212-12-50-208.dmz-net IN A 212.12.50.208 +ip208 IN A 212.12.50.208 +ip209 IN A 212.12.50.209 +ip210 IN A 212.12.50.210 +ip211 IN A 212.12.50.211 +ip212 IN A 212.12.50.212 +ip213 IN A 212.12.50.213 +ip214 IN A 212.12.50.214 +ENDE-212-12-50-215.dmz-broadcast IN A 212.12.50.215 +ip215 IN A 212.12.50.215 + +; ChaosVPN +hack IN NS cvpn-dns.hack +cvpn-dns.hack IN A 172.31.0.5 + +; IPv4 Reverse DNS + +122.48.12.212.rdns IN PTR turing.hamburg.ccc.de. +123.48.12.212.rdns IN PTR ip-48-123.hamburg.ccc.de. +124.48.12.212.rdns IN PTR ip-48-124.hamburg.ccc.de. +125.48.12.212.rdns IN PTR public-reverse-proxy.hamburg.ccc.de. +126.48.12.212.rdns IN PTR chaosknoten.hamburg.ccc.de. + +208.50.12.212.rdns IN PTR net-12-50-212.hamburg.ccc.de. +209.50.12.212.rdns IN PTR turing.hamburg.ccc.de. +;210.50.12.212.rdns IN PTR erfafoo.hamburg.ccc.de. +211.50.12.212.rdns IN PTR ip-50-12-211.hamburg.ccc.de. +213.50.12.212.rdns IN PTR cryptoparty.hamburg.ccc.de. +214.50.12.212.rdns IN PTR ip-50-12-214.hamburg.ccc.de. +215.50.12.212.rdns IN PTR broadcast-12-15-212.hamburg.ccc.de. + +128.51.12.212.rdns IN PTR net-12-51-128.hamburg.ccc.de. +129.51.12.212.rdns IN PTR ip-51-129.hamburg.ccc.de. +130.51.12.212.rdns IN PTR ip-51-130.hamburg.ccc.de. +131.51.12.212.rdns IN PTR cms.hamburg.ccc.de. +132.51.12.212.rdns IN PTR lists.hamburg.ccc.de. +133.51.12.212.rdns IN PTR cow.hamburg.ccc.de. +134.51.12.212.rdns IN PTR srv01.hamburg.freifunk.net. +135.51.12.212.rdns IN PTR fftest.hamburg.ccc.de. +136.51.12.212.rdns IN PTR git.hamburg.ccc.de. +137.51.12.212.rdns IN PTR ip-51-137.hamburg.ccc.de. +138.51.12.212.rdns IN PTR erfafoo.hamburg.ccc.de. +139.51.12.212.rdns IN PTR jitsi.hamburg.ccc.de. +140.51.12.212.rdns IN PTR ip-51-140.hamburg.ccc.de. +141.51.12.212.rdns IN PTR mumble.hamburg.ccc.de. +142.51.12.212.rdns IN PTR regio-stage.hamburg.ccc.de. +143.51.12.212.rdns IN PTR broadcast-12-15-128.hamburg.ccc.de. + +; hosts.hamburg.ccc.de +wiki.hosts IN AAAA 2a00:14b0:42:102::2 +cloud.hosts IN AAAA 2a00:14b0:42:102::3 +eh22-wiki.hosts IN AAAA 2a00:14b0:42:102::4 +pad.hosts IN AAAA 2a00:14b0:42:102::5 +keycloak.hosts IN AAAA 2a00:14b0:42:102::6 +onlyoffice.hosts IN AAAA 2a00:14b0:42:102::7 +renovate.hosts IN AAAA 2a00:14b0:42:102::8 +sunders.hosts IN AAAA 2a00:14b0:42:102::9 +mjolnir.hosts IN AAAA 2a00:14b0:42:102::a +netbox.hosts IN AAAA 2a00:14b0:42:102::b +tickets.hosts IN AAAA 2a00:14b0:42:102::c +zammad.hosts IN AAAA 2a00:14b0:42:102::d +grafana.hosts IN AAAA 2a00:14b0:42:102::e +ccchoir.hosts IN AAAA 2a00:14b0:42:102::f +pretalx.hosts IN AAAA 2a00:14b0:42:102::10 +ntfy.hosts IN AAAA 2a00:14b0:42:102::11 +spaceapiccc.hosts IN AAAA 2a00:14b0:42:102::12 +acmedns.hosts IN AAAA 2a00:14b0:42:102::13 +www2.hosts IN AAAA 2a00:14b0:42:102::14 +www3.hosts IN AAAA 2a00:14b0:42:102::15 +diday-staging-runner.hosts IN AAAA 2a00:14b0:42:102::16 +public-web-static.hosts IN AAAA 2a00:14b0:42:102::17 +forgejo-actions-runner.hosts IN AAAA 2a00:14b0:42:102::18 + +; acme-challenges +_acme-challenge.sunders CNAME a5ee8a99-3cdf-4212-972e-c0b6fda1242f.auth.acmedns +_acme-challenge.pretalx CNAME 295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns diff --git a/resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone b/resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone new file mode 100644 index 0000000..35794ba --- /dev/null +++ b/resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone @@ -0,0 +1,73 @@ +$TTL 7200 + +; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr +; verwendet, sondern statt dessen local-mail.hamburg.ccc.de +; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de +; angesprochen, und nimmt daher keine mails mit absender-adressen +; die sie nicht kennt an. +; ich hoffe diese aenderung arbeitet um diesen bug herum. +; - haegar 2001.11.14 + +@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. ( + 2024012601 + 10800 + 3600 + 3600000 + 86400 ) + + IN NS ns.hamburg.ccc.de. + IN NS ns.vie.ccc.de. + + IN MX 5 nomail.ccc.de. +; IN MX 10 local-mail.hamburg.ccc.de. + IN MX 23 nomail2.ccc.de. + IN MX 42 nomail3.ccc.de. + + IN A 212.12.48.125 + IN AAAA 2a00:14b0:4200:3000:125::1 + +localhost IN A 127.0.0.1 + + +; DMZ-Server: +dmz-net IN A 212.12.50.208 + +turing IN CNAME turing.hamburg.ccc.de. +www IN CNAME www.hamburg.ccc.de. + +LAN-212-12-51-128 IN A 212.12.51.128 +gate IN A 212.12.51.129 +END-212-12-51-143 IN A 212.12.51.143 + + +; convience and email + +backup IN A 172.31.16.3 + IN AAAA 2001:6f8:126f:1:16:20:0:3 +; IN MX 5 nomail.ccc.de. + IN MX 10 local-mail.hamburg.ccc.de. + +officemail IN A 172.31.17.131 + IN MX 5 nomail.ccc.de. +; IN MX 10 local-mail.hamburg.ccc.de. + IN MX 23 nomail2.ccc.de. + IN MX 42 nomail3.ccc.de. + +orga IN CNAME orga.hamburg.ccc.de. + + +; Die alte World, aka popeye.crew-gmbh.de +; Legacy-Names, do not delete +world IN A 192.76.134.7 + IN MX 10 world +popeye IN A 192.76.134.7 + IN MX 10 world +uucp IN A 192.76.134.7 + +; ChaosVPN +hack IN NS cvpn-dns.hack +cvpn-dns.hack IN A 172.31.0.5 + + +; tmp test +merz.leck.eier IN TXT "kann er mal" diff --git a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 index 0689820..7276bdd 100644 --- a/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 +++ b/resources/chaosknoten/grafana/docker_compose/alertmanager.yaml.j2 @@ -3,7 +3,7 @@ # - https://github.com/prometheus/alertmanager/blob/48a99764a1fc9279fc828de83e7a03ae2219abc7/doc/examples/simple.yml route: - receiver: 'ntfy-ccchh' + receiver: 'null' group_by: [ "alertname", "site", "job", "hypervisor" ] group_wait: 30s group_interval: 5m diff --git a/resources/chaosknoten/lists/docker_compose/compose.yaml b/resources/chaosknoten/lists/docker_compose/compose.yaml index fb65594..65248bb 100644 --- a/resources/chaosknoten/lists/docker_compose/compose.yaml +++ b/resources/chaosknoten/lists/docker_compose/compose.yaml @@ -58,7 +58,7 @@ services: - POSTGRES_DB=mailmandb - POSTGRES_USER=mailman - POSTGRES_PASSWORD=wvQjbMRnwFuxGEPz - image: docker.io/library/postgres:12-alpine + image: docker.io/library/postgres:18-alpine volumes: - /opt/mailman/database:/var/lib/postgresql/data networks: diff --git a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 index 0bbfcb8..091bd44 100644 --- a/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 +++ b/resources/chaosknoten/pretalx/docker_compose/compose.yaml.j2 @@ -3,7 +3,7 @@ services: database: - image: docker.io/library/postgres:15-alpine + image: docker.io/library/postgres:18-alpine environment: - "POSTGRES_USER=pretalx" - "POSTGRES_PASSWORD={{ secret__pretalx_db_password }}" diff --git a/resources/chaosknoten/router/nftables/nftables.conf b/resources/chaosknoten/router/nftables/nftables.conf index ca62a97..b9978d8 100644 --- a/resources/chaosknoten/router/nftables/nftables.conf +++ b/resources/chaosknoten/router/nftables/nftables.conf @@ -7,14 +7,19 @@ define if_net1_v4_wan = "net1" define if_net2_v6_wan = "net2" define if_net0_2_v4_nat = "net0.2" define if_net0_3_ci_runner = "net0.3" +define if_net0_5_public = "net0.5" # Interface Groups define wan_ifs = { $if_net1_v4_wan, $if_net2_v6_wan } define lan_ifs = { $if_net0_2_v4_nat, - $if_net0_3_ci_runner } -# define v4_exposed_ifs = { } -define v6_exposed_ifs = { $if_net0_2_v4_nat } + $if_net0_3_ci_runner, + $if_net0_5_public } +define v4_exposed_ifs = { $if_net0_5_public } +define v6_exposed_ifs = { $if_net0_2_v4_nat, + $if_net0_5_public } +define v4_nat_ifs = { $if_net0_2_v4_nat, + $if_net0_3_ci_runner } ## Rules @@ -73,7 +78,7 @@ table ip v4nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; - oifname $if_net1_v4_wan masquerade + iifname $v4_nat_ifs oifname $if_net1_v4_wan masquerade } } @@ -89,7 +94,7 @@ table inet forward { meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access" # Allow access to exposed networks from internet. - # meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" + meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access" meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access" } } diff --git a/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev new file mode 100644 index 0000000..be3c9d9 --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/10-net0.5-public.netdev @@ -0,0 +1,6 @@ +[NetDev] +Name=net0.5 +Kind=vlan + +[VLAN] +Id=5 diff --git a/resources/chaosknoten/router/systemd_networkd/20-net0.network b/resources/chaosknoten/router/systemd_networkd/20-net0.network index a32d75e..a9104ff 100644 --- a/resources/chaosknoten/router/systemd_networkd/20-net0.network +++ b/resources/chaosknoten/router/systemd_networkd/20-net0.network @@ -7,6 +7,6 @@ RequiredForOnline=no [Network] VLAN=net0.2 VLAN=net0.3 +VLAN=net0.5 LinkLocalAddressing=no - diff --git a/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network new file mode 100644 index 0000000..2a7b0db --- /dev/null +++ b/resources/chaosknoten/router/systemd_networkd/21-net0.5-public.network @@ -0,0 +1,23 @@ +[Match] +Name=net0.5 +Type=vlan + +[Link] +RequiredForOnline=no + +[Network] +Description=public + +# Masquerading done in nftables (nftables.conf). +IPv6SendRA=yes + +[Address] +Address=212.12.50.209/29 + +[IPv6SendRA] +UplinkInterface=net2 + +[IPv6Prefix] +Prefix=2a00:14b0:42:105::/64 +Assign=true +Token=static:::1 diff --git a/roles/deploy_systemd_resolved_config/tasks/enable.yaml b/roles/deploy_systemd_resolved_config/tasks/enable.yaml index 395ef0d..9a7438e 100644 --- a/roles/deploy_systemd_resolved_config/tasks/enable.yaml +++ b/roles/deploy_systemd_resolved_config/tasks/enable.yaml @@ -1,4 +1,11 @@ --- +- name: Ensure systemd-resolved is installed + tags: [ "deploy_systemd_resolved_config" ] + become: true + when: ansible_facts["distribution"] == "Debian" + ansible.builtin.package: + name: [ "systemd-resolved" ] + - name: Deploy systemd-resolved config tags: [ "deploy_systemd_resolved_config" ] become: true diff --git a/roles/knot/defaults/main.yaml b/roles/knot/defaults/main.yaml new file mode 100644 index 0000000..50a3ffb --- /dev/null +++ b/roles/knot/defaults/main.yaml @@ -0,0 +1,2 @@ +--- +knot__remotes: [ ] diff --git a/roles/knot/handlers/main.yaml b/roles/knot/handlers/main.yaml new file mode 100644 index 0000000..38fce75 --- /dev/null +++ b/roles/knot/handlers/main.yaml @@ -0,0 +1,21 @@ +--- +- name: reload knot + tags: [ auth-dns ] + become: true + ansible.builtin.systemd: + name: knot.service + state: reloaded + +- name: netplan apply + tags: [ auth-dns ] + become: true + changed_when: true + ansible.builtin.command: "netplan apply" + +- name: restart knot-exporter + tags: [ auth-dns ] + become: true + ansible.builtin.systemd: + name: knot-exporter.service + state: restarted + daemon_reload: true diff --git a/roles/knot/meta/argument_specs.yaml b/roles/knot/meta/argument_specs.yaml new file mode 100644 index 0000000..40a5823 --- /dev/null +++ b/roles/knot/meta/argument_specs.yaml @@ -0,0 +1,59 @@ +--- +argument_specs: + main: + options: + knot__dnssec_key_id: + description: The id of the TSIG key which knot will use for zone transfer signing + type: str + required: true + knot__dnssec_key_secret: + description: The secret value of the TSIG key which knot will use for zone transfer signing + type: str + required: true + knot__remotes: + description: + - A list of definitions for remote nameservers that are used for different purposes + - See https://www.knot-dns.cz/docs/latest/html/reference.html#remote-section for details + type: list + elements: dict + required: false + options: + id: + type: str + required: true + address: + type: list + required: true + elements: str + knot__catalog_zones: + description: A list of catalog zones that will be served by knot + type: list + elements: dict + required: true + options: + domain: + type: str + required: true + notify_targets: + type: list + elements: str + required: false + knot__zones: + description: A list of user zones that will be served by knot + type: list + elements: dict + required: true + options: + domain: + type: str + required: true + notify_targets: + type: list + elements: str + required: false + catalog_member: + type: str + required: false + content: + type: str + required: true diff --git a/roles/knot/tasks/01-install.yaml b/roles/knot/tasks/01-install.yaml new file mode 100644 index 0000000..0a269d6 --- /dev/null +++ b/roles/knot/tasks/01-install.yaml @@ -0,0 +1,11 @@ +--- +- name: Install knot + tags: [ auth-dns ] + become: true + ansible.builtin.package: + name: + - knot + - knot-exporter + - knot-dnssecutils + - knot-dnsutils + - knot-host diff --git a/roles/knot/tasks/02-configure.yaml b/roles/knot/tasks/02-configure.yaml new file mode 100644 index 0000000..2b0b0fa --- /dev/null +++ b/roles/knot/tasks/02-configure.yaml @@ -0,0 +1,53 @@ +--- +- name: Ensure required directories exist + tags: [ auth-dns ] + become: true + loop: [ "/etc/knot", "/etc/knot/zones" ] + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: knot + group: knot + mode: u=rwx,g=rx,o= + +- name: Deploy knot configuration file + tags: [ auth-dns ] + become: true + notify: reload knot + ansible.builtin.template: + src: knot.conf.j2 + dest: /etc/knot/knot.conf + owner: knot + group: knot + mode: u=rw,g=r,o= + +- name: Deploy configured zones + tags: [ auth-dns ] + become: true + notify: reload knot + loop: "{{ knot__zones }}" + loop_control: + label: "{{ item.domain }}" + vars: + zone_content: "{{ item.content }}" + ansible.builtin.template: + src: zone.j2 + dest: "/etc/knot/zones/{{ item.domain }}zone" + owner: knot + group: knot + mode: u=rw,g=r + +# this seems weird but hear me out: +# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements +# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one. +# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled +- name: Disable IPv6 SLAAC + tags: [ auth-dns ] + become: true + notify: netplan apply + ansible.builtin.template: + src: "netplan-disable-ra.yaml" + dest: "/etc/netplan/10-disable-ra.yaml" + owner: root + group: root + mode: u=rw,g=,o= diff --git a/roles/knot/tasks/03-configure-exporter.yaml b/roles/knot/tasks/03-configure-exporter.yaml new file mode 100644 index 0000000..4254acb --- /dev/null +++ b/roles/knot/tasks/03-configure-exporter.yaml @@ -0,0 +1,20 @@ +- name: Deploy knot-exporter systemd unit + tags: [ auth-dns ] + become: true + register: knot_deploy_service_file + notify: restart knot-exporter + ansible.builtin.template: + src: knot-exporter.service.j2 + dest: /etc/systemd/system/knot-exporter.service + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: Ensure knot-exporter is running and enabled + tags: [ auth-dns ] + become: true + ansible.builtin.systemd: + name: knot-exporter.service + state: started + enabled: true + daemon_reload: "{{ knot_deploy_service_file.changed }}" diff --git a/roles/knot/tasks/main.yaml b/roles/knot/tasks/main.yaml new file mode 100644 index 0000000..bdf5cf7 --- /dev/null +++ b/roles/knot/tasks/main.yaml @@ -0,0 +1,4 @@ +--- +- ansible.builtin.import_tasks: 01-install.yaml # noqa: name[missing] +- ansible.builtin.import_tasks: 02-configure.yaml # noqa: name[missing] +- ansible.builtin.import_tasks: 03-configure-exporter.yaml # noqa: name[missing] diff --git a/roles/knot/templates/knot-exporter.service.j2 b/roles/knot/templates/knot-exporter.service.j2 new file mode 100644 index 0000000..1246694 --- /dev/null +++ b/roles/knot/templates/knot-exporter.service.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} +[Unit] +Description=knot prometheus exporter +Wants=network.target +Before=alloy.service +After=network.target + +[Service] +User=knot +ExecStart=/usr/sbin/knot-exporter +ReadWritePaths=/run/knot/ +ProtectSystem=strict +ProtectHome=true +PrivateTmp=true +PrivateDevices=true +PrivateIPC=true + diff --git a/roles/knot/templates/knot.conf.j2 b/roles/knot/templates/knot.conf.j2 new file mode 100644 index 0000000..c661e25 --- /dev/null +++ b/roles/knot/templates/knot.conf.j2 @@ -0,0 +1,95 @@ +# {{ ansible_managed }} +# See knot.conf(5) or refer to the server documentation. + +server: + rundir: "/run/knot" + user: knot:knot + automatic-acl: on + listen: [ "0.0.0.0@53", "::@53" ] + +log: + - target: syslog + any: info + +database: + storage: "/var/lib/knot" + +key: + - id: {{ knot__dnssec_key_id }} + algorithm: hmac-sha512 + secret: "{{ knot__dnssec_key_secret }}" + +remote: + # static, external and public remote used for DNSSEC KSK checking + - id: quad9 + address: "2620:fe::fe" + {% if knot__remotes -%} + # additional remotes used in the config + {% for i_remote in knot__remotes -%} + - id: "{{ i_remote.id }}" + address: [ {% for i_addr in i_remote.address %}"{{ i_addr}}"{% if not loop.last %},{% endif %} {% endfor %} ] + {% endfor %} + {% endif %} + +# define how the presence of parent KSK keys is checked +# in this case, we just ask quad9 which is an open resolver +submission: + - id: default + parent: quad9 + parent-delay: 1h + +# define how dnssec signing is done +# in this case we don't do anything special but teach knot how to check for KSK presence +policy: + - id: default + ksk-submission: default + nsec3: true + nsec3-salt-length: 0 + +# define default settings that apply to all zones +template: + # template for general-purpose user zones + - id: default + storage: "/etc/knot/zones" + file: "%s.zone" + semantic-checks: on + zonefile-sync: -1 + zonefile-load: difference-no-serial + serial-policy: dateserial + journal-content: all + default-ttl: 7200 + dnssec-signing: on + dnssec-policy: default + + {# catalog-role: member #} + {# catalog-zone: hamburg.ccc.de.catalog. #} + + # template for automatically created special zones + - id: catalog + catalog-role: generate + dnssec-signing: on + dnssec-policy: default + + +# define zones on this server +# See https://www.knot-dns.cz/docs/3.4/html/reference.html#zone-section +zone: + # catalog zones + {% for i_zone in knot__catalog_zones -%} + - domain: "{{ i_zone.domain }}" + template: catalog + notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ] + {% endfor %} + + # normal zones + {% for i_zone in knot__zones -%} + - domain: "{{ i_zone.domain }}" + template: default + notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ] + {% if i_zone.catalog_member | default(False) -%} + catalog-role: member + catalog-zone: "{{ i_zone.catalog_member }}" + {% endif %} + + {% endfor %} + diff --git a/roles/knot/templates/netplan-disable-ra.yaml b/roles/knot/templates/netplan-disable-ra.yaml new file mode 100644 index 0000000..505fba2 --- /dev/null +++ b/roles/knot/templates/netplan-disable-ra.yaml @@ -0,0 +1,14 @@ +# {{ ansible_managed }} +network: + ethernets: + {%- for i_iface_name in ansible_interfaces -%} + {%- if i_iface_name != "lo" -%} + {%- set i_iface = ansible_facts[i_iface_name] %} + + {{ i_iface_name }}: + match: + macaddress: "{{ i_iface.macaddress }}" + accept-ra: false + {% endif %} + {% endfor %} + diff --git a/roles/knot/templates/zone.j2 b/roles/knot/templates/zone.j2 new file mode 100644 index 0000000..59edf5f --- /dev/null +++ b/roles/knot/templates/zone.j2 @@ -0,0 +1,4 @@ +; {{ ansible_managed }} + +{{ zone_content }} + diff --git a/roles/nftables/handlers/main.yaml b/roles/nftables/handlers/main.yaml index 3b72c54..45f20c9 100644 --- a/roles/nftables/handlers/main.yaml +++ b/roles/nftables/handlers/main.yaml @@ -1,5 +1,5 @@ -- name: Restart nftables service +- name: Reload nftables service ansible.builtin.systemd_service: name: nftables - state: restarted + state: reloaded become: true diff --git a/roles/nftables/tasks/main.yaml b/roles/nftables/tasks/main.yaml index 46ea18d..6a72800 100644 --- a/roles/nftables/tasks/main.yaml +++ b/roles/nftables/tasks/main.yaml @@ -12,4 +12,4 @@ owner: root group: root become: true - notify: Restart nftables service + notify: Reload nftables service