Compare commits
1 commit
f270ec1779
...
51f52e297e
| Author | SHA1 | Date | |
|---|---|---|---|
| 51f52e297e |
36 changed files with 12 additions and 1286 deletions
|
|
@ -4,4 +4,3 @@ pipelining = True
|
|||
vars_plugins_enabled = host_group_vars,community.sops.sops
|
||||
collections_path = ./
|
||||
roles_path = ./galaxy-roles
|
||||
interpreter_python = python3
|
||||
|
|
|
|||
|
|
@ -1,5 +1,4 @@
|
|||
ansible_pull__age_private_key: ENC[AES256_GCM,data:2kBG8j8JHa/dlXgWMdbSobulFdVunf052T1QQfm1X2vpEZx2HPCL87fWea+O0WOg7+eoMYbiShu0Vw1eTjb+687LjU8l4cj2JWIajnYfDGH+ipWXojxj613C3RZV3JfDOclVTwP8fCHu7z7P3fKrsKWb5d3t2ohTT+sGdVdimakAOf192CkufcVIthq2imiWbntiMTOdMGJxyIjqT2Io2H89nSbJXkONsuHCF/PbxhryB2LZbl8aZV32knk=,iv:hpscVc7iO4r/h31vS6Zno2pkEsgA2uR7wD/1PjH1znM=,tag:ypiwFtgeXuj4gOsgTCRTBw==,type:str]
|
||||
knot__dnssec_key_secret: ENC[AES256_GCM,data:WPFTLyJIttFtqqTZV2fGN0Tt1vRS318TGmd2YqNzYisE3TBi6Z2aClxuYh56Q+j7TUQwCvga3jd5w017sEz3kA==,iv:umaFHBCy9AZgNFv7uXLCtO0o/NZDAZ1QNg5DcGHWEW8=,tag:oR92C1Uj5iXU9L02MqzGSQ==,type:str]
|
||||
sops:
|
||||
age:
|
||||
- recipient: age18zgt4y2sd75hxnpe333zz39048ctxpr0q8a3uqh3jajjkyawsdrq8yg5ve
|
||||
|
|
@ -11,8 +10,8 @@ sops:
|
|||
MEZQTHZXNExsSnl0WW9Vb29sajE1YzAKoYU7rGuR+52+U02uf3eTH9hkIECWdcJv
|
||||
wN9JTwsUn0c6mi/d4AHgv5O04Uw7NxUyGVmFlDZzjxLwPzZyR73SvA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2026-05-01T17:08:09Z"
|
||||
mac: ENC[AES256_GCM,data:TaMWf1ESs8nYzxkElMYtsz+/Be0PtI7FA0q6IFK+ob4dl/EN+AeTD7Pp0MZF8zcRvZ4hF0Ybimet5bwVR+d7UIXlXz3qP//pX68JDCvcLMQuhNtm6Ws+mwVxkpxEvBr1PtxlSvcQ76vH3ryEsXkP84gmlCDEdX1GAZYZ9ZS3Cfk=,iv:g3tzUfTPNUQyOAxWJEFPHg0IAPAzQgwYABHm4mFOOrI=,tag:C6KE/bg/3jS7Wc56y6YOJQ==,type:str]
|
||||
lastmodified: "2026-04-29T19:21:55Z"
|
||||
mac: ENC[AES256_GCM,data:RLXsIsSdrCuElYQ3x2YpwYzQx0V0zoYP6h9FLD+RqmZ1pWhlk6Ijp9WxCAlEWps9n5rPYYyhZ3ldSJluTVeroPwpzrmwW+xXCGsCC0BFk6PuB4UynfHwWR/3jEK47nAdPbNfONhzGfOeTObYp22c3iHiKL8YochOSlBToA8mFr4=,iv:fZZEa3C/BsNKGdTKlR/hexrzhmLxiMVxgL9nXjX2Q1E=,tag:I5M8SNbSw4w1crsl0z/5+Q==,type:str]
|
||||
pgp:
|
||||
- created_at: "2026-04-29T19:18:43Z"
|
||||
enc: |-
|
||||
|
|
|
|||
|
|
@ -1,62 +0,0 @@
|
|||
---
|
||||
deploy_systemd_resolved_config__enable: false
|
||||
|
||||
alloy_config_additional: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/auth-dns/alloy/knot-exporter.alloy') }}"
|
||||
|
||||
knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1"
|
||||
knot__remotes:
|
||||
- id: ns-intern.hamburg.ccc.de
|
||||
address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ]
|
||||
|
||||
knot__catalog_zones:
|
||||
- domain: "hamburg.ccc.de.catalog."
|
||||
|
||||
knot__zones:
|
||||
- domain: "hh.ccc.de."
|
||||
catalog_member: "hamburg.ccc.de.catalog."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}"
|
||||
|
||||
- domain: "ccchh.net."
|
||||
catalog_member: "hamburg.ccc.de.catalog."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/ccchh.net.zone') }}"
|
||||
|
||||
- domain: "hamburg.ccc.de."
|
||||
catalog_member: "hamburg.ccc.de.catalog."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}"
|
||||
|
||||
- domain: "eh20.easterhegg.eu."
|
||||
catalog_member: "hamburg.ccc.de.catalog."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone') }}"
|
||||
|
||||
- domain: "eh22.easterhegg.eu."
|
||||
catalog_member: "hamburg.ccc.de.catalog."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone') }}"
|
||||
|
||||
- domain: "3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
|
||||
|
||||
- domain: "2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
|
||||
|
||||
- domain: "3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
|
||||
|
||||
- domain: "4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
|
||||
|
||||
- domain: "5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
|
||||
|
||||
- domain: "6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa."
|
||||
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
|
||||
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone') }}"
|
||||
|
|
@ -224,7 +224,6 @@ alloy_hosts:
|
|||
spaceapiccc:
|
||||
www2:
|
||||
www3:
|
||||
auth-dns:
|
||||
infrastructure_authorized_keys_hosts:
|
||||
hosts:
|
||||
ccchoir:
|
||||
|
|
|
|||
|
|
@ -101,8 +101,3 @@
|
|||
|
||||
- name: Run ensure_eh22_styleguide_dir Playbook
|
||||
ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml
|
||||
|
||||
- name: Setup authoritative dns servers
|
||||
hosts: auth-dns
|
||||
roles:
|
||||
- knot
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
prometheus.scrape "knot_exporter" {
|
||||
targets = [
|
||||
{"__address__" = "localhost:9433", "instance" = "{{ ansible_facts['hostname'] }}"},
|
||||
]
|
||||
forward_to = [ prometheus.relabel.chaosknoten_common.receiver ]
|
||||
}
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2023073001
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
; 2a00:14b0:4200:3000:122::1
|
||||
|
||||
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR turing.hamburg.ccc.de.
|
||||
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2025020102
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
; ccchh firewall / tunnelendpunkte:
|
||||
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR fwhh.hamburg.ccc.de.
|
||||
|
||||
6.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR jabber.hamburg.ccc.de.
|
||||
3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns.hamburg.ccc.de.
|
||||
0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR rproxy.hamburg.ccc.de.
|
||||
2.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR oldturing.hamburg.ccc.de.
|
||||
3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR gitlab-intern.hamburg.ccc.de.
|
||||
5.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR fftest.hamburg.ccc.de.
|
||||
4.1.0.0.0.0.0.0.0.0.0.0.8.4.0.0 IN PTR wiki.attraktor.org.
|
||||
1.0.0.0.0.0.0.0.0.1.2.0.0.5.0.0 IN PTR lokal.ccc.de.
|
||||
1.0.0.0.0.0.0.0.2.1.2.0.0.5.0.0 IN PTR eh20.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.3.1.2.0.0.5.0.0 IN PTR cryptoparty.hamburg.ccc.de.
|
||||
|
||||
1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0 IN PTR shellhost.hamburg.ccc.de.
|
||||
|
||||
1.0.0.0.0.0.0.0.0.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.1.3.1.0.1.5.0.0 IN PTR cms.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.2.3.1.0.1.5.0.0 IN PTR lists.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.3.3.1.0.1.5.0.0 IN PTR cow.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.4.3.1.0.1.5.0.0 IN PTR srv01.hamburg.freifunk.net.
|
||||
1.0.0.0.0.0.0.0.5.3.1.0.1.5.0.0 IN PTR fftest.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.6.3.1.0.1.5.0.0 IN PTR git.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.7.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.8.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.9.3.1.0.1.5.0.0 IN PTR jitsi.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0 IN PTR shells.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.1.4.1.0.1.5.0.0 IN PTR mumble.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.2.4.1.0.1.5.0.0 IN PTR regio-stage.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.4.0.2.0.1.5.0.0 IN PTR eh22hub.hamburg.ccc.de.
|
||||
1.0.0.0.0.0.0.0.5.0.2.0.1.5.0.0 IN PTR eh22hub-meta.hamburg.ccc.de.
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2023072900
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
; 2a00:14b0:4200:3000:123::1
|
||||
|
||||
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de.
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2023072900
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
; 2a00:14b0:4200:3000:124::1
|
||||
|
||||
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de.
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2023072900
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
; 2a00:14b0:4200:3000:125::1
|
||||
|
||||
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR public-reverse-proxy.hamburg.ccc.de.
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
|
||||
2023073001
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
; 2a00:14b0:4200:3000:126::1
|
||||
|
||||
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR chaosknoten.hamburg.ccc.de.
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
$ORIGIN .
|
||||
$TTL 900 ; 15 minutes
|
||||
ccchh.net IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2026042801 ; serial
|
||||
86400 ; refresh (1 day)
|
||||
7200 ; retry (2 hours)
|
||||
3600000 ; expire (5 weeks 6 days 16 hours)
|
||||
7200 ; minimum (2 hours)
|
||||
)
|
||||
NS auth-dns.hamburg.ccc.de.
|
||||
NS ns.vie.ccc.de.
|
||||
|
||||
$ORIGIN ccchh.net.
|
||||
aes A 212.12.48.125
|
||||
club-assistant AAAA 2a07:c481:1:d0::a
|
||||
;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de
|
||||
club-assistant.z9 AAAA 2a07:c481:1:d0::a
|
||||
;_acme-challenge.club-assistant.z9 CNAME 0efa74d1-7dcd-478b-bdc5-5b76d0f07642.auth.acmedns.hamburg.ccc.de
|
||||
esphome AAAA 2a07:c481:1:d0::66
|
||||
esphome.z9 AAAA 2a07:c481:1:d0::66
|
||||
zigbee2mqtt A 185.161.129.132
|
||||
light AAAA 2a07:c481:1:d0::16
|
||||
_acme-challenge.light CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de.
|
||||
light.z9 AAAA 2a07:c481:1:d0::16
|
||||
_acme-challenge.light.z9 CNAME 3bc9e7ce-03dd-4533-a059-b5d38407eaa5.auth.acmedns.hamburg.ccc.de.
|
||||
light-werkstatt AAAA 2a07:c481:1:d0::16
|
||||
_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de.
|
||||
mailserver-endpoint A 82.165.121.46
|
||||
ns1 A 185.161.129.133
|
||||
send-only-mail MX 10 send-only-mailserver
|
||||
TXT "v=spf1 mx -all"
|
||||
send-only-mailserver A 82.165.121.46
|
||||
send-only-mailserver-access A 185.161.129.132
|
||||
thinkcccore0 AAAA 2a07:c481:1:f2::3
|
||||
thinkcccore0.z9 AAAA 2a07:c481:1:f2::3
|
||||
thinkcccore1 AAAA 2a07:c481:1:f2::4
|
||||
thinkcccore1.z9 AAAA 2a07:c481:1:f2::4
|
||||
opnsense AAAA 2a07:c481:1:f2::1
|
||||
opnsense.z9 AAAA 2a07:c481:1:f2::1
|
||||
pbs AAAA 2a07:c481:1:f2::4
|
||||
thinkcccore2 AAAA 2a07:c481:1:f2::5
|
||||
thinkcccore2.z9 AAAA 2a07:c481:1:f2::5
|
||||
thinkcccore3 AAAA 2a07:c481:1:f2::6
|
||||
thinkcccore3.z9 AAAA 2a07:c481:1:f2::6
|
||||
miniscccore0 AAAA 2a07:c481:1:f2::9
|
||||
miniscccore0.z9 AAAA 2a07:c481:1:f2::9
|
||||
uptime-kuma A 185.161.129.132
|
||||
status AAAA 2a07:c481:1:ce::a
|
||||
status.z9 AAAA 2a07:c481:1:ce::a
|
||||
wiki A 212.12.48.125
|
||||
hmdooris-ccu A 10.31.208.202
|
||||
buba A 10.31.211.137
|
||||
buba.z9 A 10.31.211.137
|
||||
dooris AAAA 2a07:c481:1:d0::1c
|
||||
_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de
|
||||
waybackproxy A 10.31.208.99
|
||||
yate A 10.31.208.12
|
||||
staubiv2 A 10.31.210.233
|
||||
staubiv2.z9 A 10.31.210.233
|
||||
; Mail: hosts.z9.ccchh.net
|
||||
hosts.z9 MX 10 cow.hamburg.ccc.de
|
||||
TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.hosts.z9 TXT ("v=DKIM1;k=rsa;t=s;s=email;"
|
||||
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsdypQ/tlrzto5KVP"
|
||||
"5o7tEblXK/hOVRFB683uODzo26XTFMSRGjumMuo/tej59GMePdUu0uIsdq8hfj8"
|
||||
"ot0R2OQNazdyp4NW4TUWfFGJ4S2f6LR3lE3I5Lw7fHiYHz0GnCGTqZIItkHK+xQ"
|
||||
"i5Fdhwd1YbFJtO0XiZ0jY5w6pvny6pEH8WaKX85rEmz2zqCtpiYPRPmoK/Tn+rV"
|
||||
"2e8fVioMRm9W8E4PU42WLds66qOkFR0KjKIavE6y7JahESEoVGcVnSPdtMOX0Ln"
|
||||
"KbSMQNrTvNbBoPdLYvNaXOw7TmVPKjDV+FRCIIdK+m0fL82/vm5jPBvDr5+WlM1"
|
||||
"xV/P/KlSnQIDAQAB")
|
||||
$ORIGIN send-only-mail.ccchh.net.
|
||||
_dmarc TXT "v=DMARC1;p=quarantine;"
|
||||
key._domainkey TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqduM4+SQ+IQ2uAxbjFkd+0hAjohTgT3nM76jyrWGHJ8TizNU2PGkta0NjCq+m9VLBZUjIJphW2vrnlJsnN0JkGAdoLBL3Qs0kShT6V+xsxslZG2KHApihnJUp34tPSMES+aTnD+jEPGyxFLeoiK+3gywNhCGalHSQ+G88Z2n59wIDAQAB"
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
@ IN SOA auth-intern.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2025021101
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
IN MX 5 nomail.ccc.de.
|
||||
;IN MX 10 local-mail.hamburg.ccc.de.
|
||||
IN MX 10 vworker02.irz42.net.
|
||||
IN MX 23 nomail2.ccc.de.
|
||||
IN MX 42 nomail3.ccc.de.
|
||||
|
||||
IN TXT "v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all"
|
||||
|
||||
IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
|
||||
localhost IN A 127.0.0.1
|
||||
|
||||
* IN CNAME @
|
||||
www IN CNAME @
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
$TTL 600
|
||||
|
||||
@ IN SOA ns.hamburg.ccc.de. mail.hamburg.ccc.de. (
|
||||
2026033101
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS auth-dns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
;autodiscover IN CNAME cow.hamburg.ccc.de.
|
||||
;_autodiscover._tcp IN SRV 10 cow.hamburg.ccc.de. 443
|
||||
;autoconfig IN CNAME cow.hamburg.ccc.de
|
||||
|
||||
IN TXT "v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all"
|
||||
;_dmarc IN TXT **TODO**
|
||||
|
||||
dkim._domainkey IN TXT ( "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhk"
|
||||
"iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqoWo7mbis3REqBURP3ZQZwOY7RSsS7"
|
||||
"TY9eFHvW/O83YseEHoIQmeKkHj1lRrP+6Jhow2XngveBzt/m5AQclLVMURt5"
|
||||
"2zsLCtiXxOYMLIIAgFOfxGjMdfqh9+X0wuOqHgoZiP2uBfAWLKfV/CZcovI/"
|
||||
"0d2d7vQvc+7PJwZ9htoIu3NesasOFsrhv1yfFJidC87focQdaVKfD9cF68/w"
|
||||
"2Ri2TGzcSQHAiIxJq3MgawSJZiyVD+psZdzZDB1YIw8NJxmDskzFicTLrYyH"
|
||||
"8XOf5f5lOWjRYrfe0H8sAe1NBb/OP2T7Qs3S9DQosMSPwyALC3FPZKsVMbtI"
|
||||
"mr8F+J+M/H9QIDAQAB" )
|
||||
|
||||
localhost IN A 127.0.0.1
|
||||
|
||||
intern IN A 172.31.17.212
|
||||
cfp IN CNAME public-reverse-proxy.hamburg.ccc.de.
|
||||
_acme-challenge.cfp CNAME 295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns.hamburg.ccc.de.
|
||||
netbox IN CNAME public-reverse-proxy.hamburg.ccc.de.
|
||||
presale IN A 78.47.203.122
|
||||
IN AAAA 2a01:4f8:1c17:b147::2
|
||||
pretix IN A 78.47.203.122
|
||||
IN AAAA 2a01:4f8:1c17:b147::2
|
||||
engel IN A 167.235.129.15
|
||||
IN AAAA 2a01:4f8:1c1b:e967::1
|
||||
radius IN A 94.45.254.130
|
||||
|
|
@ -1,520 +0,0 @@
|
|||
; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr
|
||||
; verwendet, sondern statt dessen local-mail.hamburg.ccc.de
|
||||
; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de
|
||||
; angesprochen, und nimmt daher keine mails mit absender-adressen
|
||||
; die sie nicht kennt an.
|
||||
; ich hoffe diese aenderung arbeitet um diesen bug herum.
|
||||
; - haegar 2001.11.14
|
||||
|
||||
$TTL 7200
|
||||
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2026042903
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS ns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
$TTL 60
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
; IN MX 10 local-mail.hamburg.ccc.de.
|
||||
$TTL 7200
|
||||
IN TXT "v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all"
|
||||
|
||||
IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
|
||||
dkim._domainkey IN TXT ("v=DKIM1;k=rsa;t=s;s=email;"
|
||||
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4wZRajtsQTrVgXco7"
|
||||
"1E2T+UDRxzzXJ+0F7m1UHiPpsjGQJ4Njs4Zc6qC21FLxhUIRFURy9mZ2mGk6hnL"
|
||||
"w6wi0xm0N3MOH8BG/omPfWJcH4C1XXMk6trYSjhKQb4FzNbusAFoldIdwtt/aa/"
|
||||
"GJBvRD+XYulvuyqolD2SGY62tAiXqls4ik2ZiDrIv+Dglg8b8fD4kzqe/aXlUvD"
|
||||
"j3hCMHmyjE8mn8lYnS0QfSnV8NlqKwOhF+iwqfrhMI2bZFCQ+td03RtQjaXw5W+"
|
||||
"30NMcOv6Se4vPDl4nUIBJZ/wP3CBz1k66VShHB+un7SxoUQuW0+oDqN4QHH338b"
|
||||
"2dDOoBJndwIDAQAB")
|
||||
_dmarc IN TXT "v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarc-report@hamburg.ccc.de;ruf=mailto:dmarc-report@hamburg.ccc.de;ri=86400;aspf=r;adkim=r;fo=1"
|
||||
|
||||
|
||||
localhost IN A 127.0.0.1
|
||||
|
||||
dante._domainkey IN TXT ("v=DKIM1;k=rsa;t=s;s=email;"
|
||||
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzMLFoEXbD/IgP6TIz2KDZudbnYtcJ4QjdWiwEP5NMvugymzDCiLaKTwNUFycKA1TvW0Y7/x0EEgqcSjfV87GU8xs6qsArgbQWBCs9gPBInbA8LBX9RN/JX30pESh+jGfdNWl7mWkkyVuONUgy/vFHWswJZ72Lg96gyBBCAR1ABC7qM8PYjoFFlRR76PfZNV8YHRBM/1ypQthtjPf"
|
||||
"NKhV8MksNIXPKhcQwy6/JAVpkUunVpOrsuf2K6RFVMrVNUEtEYkpZUPtnoTYwaB0rRLg0f+InHzKZx2uv6JexyWZOwxsv8Bv1I+jdiEkQMw9kORZ81sv2mcUO+0PubeYVpvWAwIDAQAB" )
|
||||
hansenerd._domainkey IN TXT ("v=DKIM1; k=rsa; "
|
||||
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlxTgmc5Fe2aQc5razQYlk3OBGNePuevJQ7YVp5j5IM0ukBLM1erTR6DLZZvoGd2puKvfjlvejR3GRY4YXeZkCJoS0ZjwpR3Tfy8PzUbPNMt5e/buHGK1v+9E9zrl4vrxgYYYlYqjl1HF1K9oE5yPI1AIeUxzZpduheJASlxr9VwIDAQAB" ) ;
|
||||
|
||||
|
||||
; Proxmox Host:
|
||||
chaosknoten IN A 212.12.48.126
|
||||
IN AAAA 2a00:14b0:4200:3000::126:1
|
||||
;chaosknoten-ipmi IN A 212.12.51.137; unused public IP
|
||||
chaosknoten-ipmi IN A 44.128.124.4
|
||||
|
||||
; DMZ-Server:
|
||||
dmz-net IN A 212.12.50.208
|
||||
|
||||
turing IN A 212.12.48.122
|
||||
IN AAAA 2a00:14b0:4200:3000:122::1
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
turing-chaosvpn IN AAAA 2001:6f8:126f:11::3
|
||||
IN A 172.31.17.1
|
||||
turing-vpn IN CNAME turing-chaosvpn
|
||||
turing-vpngw IN A 212.12.48.122
|
||||
IN AAAA 2a00:14b0:4200:3000:122::1
|
||||
turing-vzhost IN A 172.31.17.1
|
||||
IN AAAA 2a00:14b0:4200:3000:122::1
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
turing-vzhost2 IN CNAME turing-vzhost
|
||||
turing-router IN A 172.31.17.129
|
||||
|
||||
turing-new IN A 172.31.17.132
|
||||
|
||||
oldturing IN A 172.31.17.122
|
||||
IN AAAA 2a00:14b0:f000:23::122
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
turing-intern IN CNAME oldturing
|
||||
turing-intern2 IN A 172.31.17.142
|
||||
IN AAAA 2a00:14b0:f000:23::122
|
||||
|
||||
ns IN A 212.12.48.122
|
||||
IN AAAA 2a00:14b0:f000:23::53
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
ns-intern IN A 172.31.17.53
|
||||
IN AAAA 2a00:14b0:f000:23::53
|
||||
ns-intern2 IN A 172.31.17.153
|
||||
IN AAAA 2a00:14b0:f000:23::53
|
||||
|
||||
vpn IN A 212.12.48.122
|
||||
; ipv4 only!
|
||||
www.vpn IN CNAME vpn
|
||||
cvpn-dns IN A 172.31.0.5
|
||||
chaosvpn-dns IN A 172.31.17.136
|
||||
|
||||
turing-db IN A 172.31.17.135
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
gitlab IN A 212.12.48.122
|
||||
IN AAAA 2a00:14b0:4200:3000:122::1
|
||||
; ipv6 also has DNAT rules
|
||||
gitlab-intern IN A 172.31.17.133
|
||||
IN AAAA 2a00:14b0:f000:23::133
|
||||
IN MX 5 nomail.ccc.de.
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
gitlab-cr IN CNAME gitlab
|
||||
|
||||
gitlab-test IN A 212.12.48.122
|
||||
IN AAAA 2a00:14b0:4200:3000:122::1
|
||||
; ipv6 also has DNAT rules
|
||||
gitlab-test-intern IN A 172.31.17.138
|
||||
IN AAAA 2a00:14b0:f000:23::138
|
||||
IN MX 5 nomail.ccc.de.
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
gitlab-runner IN A 172.31.17.139
|
||||
IN MX 5 nomail.ccc.de.
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
lists IN A 212.12.51.132
|
||||
IN AAAA 2a00:14b0:f000:23:51:132:0:1
|
||||
IN MX 10 lists
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.lists IN TXT ("v=DKIM1; h=sha256; k=rsa; "
|
||||
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvNlbGPBluV3q3eT1C6nJ"
|
||||
"8KuSNAx9ycTO0urNkz4In1I2srmK8qPTfqfPU7y5kjHM1oC31+LwVNiyzeIQl"
|
||||
"cdW00DMTHfzkQAjtdDXgKG5db4Dqw+2wtZfLGvBFOSfV0RspZmSDSN6ON81dk"
|
||||
"lVABMMOA7Vd8wwIj0ms/gb/+AB0IQIDAQAB" )
|
||||
ccchoir-intern IN A 172.31.17.156
|
||||
|
||||
cow IN A 212.12.51.133
|
||||
IN AAAA 2a00:14b0:f000:23:51:133:0:1
|
||||
IN MX 10 cow
|
||||
cow-intern IN A 172.31.17.201
|
||||
auth-dns IN A 212.12.48.124
|
||||
auth-dns IN AAAA 2a00:14b0:4200:3000:124::1
|
||||
|
||||
cowtest IN MX 10 cow
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.cowtest IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy5aAMRgFdGdG+Ewmn"
|
||||
"OZb8gdCjSSoFjTxu/GW9edVWU0zsRRQT9r6oF82Cn05jEKNra3D8tE48jBaDQ"
|
||||
"GOAFa4BgjxiIfP/D36CaN2JT5sno3faSBkqaKoBG0zRD2UsNj/ROfHB844BOf"
|
||||
"AUt4KFMMHUfO03Gu6ps9nq/QBsrR5Iq6sMv9WiftKjh4twS4S+Wz7ZXymY3yd"
|
||||
"jRLI8r48pASg6IoiByV8kR3r7OZw9dzmNgbTCOEyKaicB4KJDjgJvQut8af8g"
|
||||
"sYQYTCSPVqkwb5Y+yJNKhQmsYBwUX23x5Yng2gDBY/pjGeWl28SxdGhm8C23a"
|
||||
"0wVCz4kQGNvcULnrzifwIDAQAB")
|
||||
_autodiscover._tcp.cowtest IN SRV 0 1 443 cow
|
||||
_caldavs._tcp.cowtest IN SRV 0 1 443 cow
|
||||
_caldavs._tcp.cowtest IN TXT "path=/SOGo/dav/"
|
||||
_carddavs._tcp.cowtest IN SRV 0 1 443 cow
|
||||
_carddavs._tcp.cowtest IN TXT "path=/SOGo/dav/"
|
||||
_imap._tcp.cowtest IN SRV 0 1 143 cow
|
||||
_imaps._tcp.cowtest IN SRV 0 1 993 cow
|
||||
_pop3._tcp.cowtest IN SRV 0 1 110 cow
|
||||
_pop3s._tcp.cowtest IN SRV 0 1 995 cow
|
||||
_sieve._tcp.cowtest IN SRV 0 1 4190 cow
|
||||
_smtps._tcp.cowtest IN SRV 0 1 465 cow
|
||||
_submission._tcp.cowtest IN SRV 0 1 587 cow
|
||||
|
||||
|
||||
mail IN A 212.12.48.122
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
local-mail IN A 172.31.17.201 ; make hosts with relayhost=local-mail work
|
||||
;local-mail IN A 212.12.48.122
|
||||
; IN AAAA 2a00:14b0:f000:23::122
|
||||
; IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
jitsi-old IN A 49.12.8.103
|
||||
IN AAAA 2a01:4f8:c17:392f::1
|
||||
jitsi IN A 212.12.51.139
|
||||
IN AAAA 2a00:14b0:f000:23:51:139:0:1
|
||||
|
||||
mumble IN A 212.12.51.141
|
||||
IN AAAA 2a00:14b0:f000:23:51:141:0:1
|
||||
|
||||
|
||||
id IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
keycloak-admin IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
invite IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
id IN MX 10 cow
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.id IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6wcQjo7qgb1CMOv5"
|
||||
"6odc7Ef8rocu3bv3JKBIqL/msuoEFOiXGpPZrwcWQJc7lS5tLTxR5XuP02D3D"
|
||||
"Vif+8D3R8YzLsNMdLZ5moQacdJK2OFFiet2G3kWjBdKH1em9FwMa0MBWlk6LR"
|
||||
"YWRgsByFBMNIItwkBmqmNrmrPRneRprLYQCf34McDmkzpzUpFdF5sgmbmDpdX"
|
||||
"genmqXgBopvmnTeXa+kQnoVgrMyWE41zdWaXrDAtoYye3e31j0Nxhnfg+I7vO"
|
||||
"XPfmatTH7yieDaLG+3kHjbA3WFyAkb/ZAqZaFM8k6cQJEZb7jDzdKlm1fuPrk"
|
||||
"YUrfZ1V3pglzdm0QbM4wIDAQAB")
|
||||
|
||||
matrix-intern IN A 172.31.17.150
|
||||
; have this for compatibility (like references in CI)
|
||||
public-web-static-intern IN AAAA 2a00:14b0:42:102::17
|
||||
git-intern IN A 172.31.17.154
|
||||
woodpecker-intern IN A 172.31.17.160
|
||||
penpot-intern IN A 172.31.17.162
|
||||
forgejo-runner-builder IN A 172.31.17.202
|
||||
renovate-forgejo IN A 172.31.17.163
|
||||
status IN AAAA 2a00:14b0:f001:100::fd
|
||||
status IN A 212.12.50.253
|
||||
design IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
IN MX 10 cow
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.design IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtod7q+mkIcZFe512v"
|
||||
"jzXF0UfGmo8R6UxeJ/MCi/qjjN+sSqn4dohQx3NBhK3UF9/8Ze7FT5znTxeWj"
|
||||
"Ks+le/dSS4CKxjSFAV1FjcaAqrUaxO1V8+fxcUSVzAQZXUVyNqqv+SAFUVJSE"
|
||||
"3zZIuJim4F1HVVLvwbLJZ450ns8KQ7n3RNY2+mqQoxo8xmMg2QFOoQKlSYspC"
|
||||
"TRTV4LM/n5Jm7Mm1F5DwJ+7Ie9s/WvTWKKKUExmoa5SNheGcfybC+sqnJu7L0"
|
||||
"F5dWFwk0zzQDcVSY2m9qFWPEuO2fZmiB4IoG4yXkooSY2sH9Z8eX2+6i3k/ub"
|
||||
"qx58Mav6VlkTxsOAdbbQIDAQAB")
|
||||
regio-stage IN A 212.12.51.142
|
||||
AAAA 2a00:14b0:f000:23:51:142:0:1
|
||||
|
||||
public-reverse-proxy IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
public-reverse-proxy-intern IN A 172.31.17.140
|
||||
router IN A 212.12.48.123
|
||||
|
||||
rproxy IN A 212.12.48.122
|
||||
IN AAAA 2a00:14b0:4200:3000:122::1
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
rproxy-intern IN A 172.31.17.180
|
||||
IN AAAA 2a00:14b0:f000:23::80
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
bildungsurlaub IN CNAME rproxy
|
||||
doku IN CNAME rproxy
|
||||
test IN CNAME rproxy
|
||||
www.test IN CNAME rproxy
|
||||
eh2003 IN CNAME public-reverse-proxy
|
||||
www.eh2003 IN CNAME public-reverse-proxy
|
||||
easterhegg2003 IN CNAME public-reverse-proxy
|
||||
www.easterhegg2003 IN CNAME public-reverse-proxy
|
||||
eh2005 IN CNAME public-reverse-proxy
|
||||
www.eh2005 IN CNAME public-reverse-proxy
|
||||
easterhegg2005 IN CNAME public-reverse-proxy
|
||||
www.easterhegg2005 IN CNAME public-reverse-proxy
|
||||
eh2007 IN CNAME public-reverse-proxy
|
||||
www.eh2007 IN CNAME public-reverse-proxy
|
||||
eh07 IN CNAME public-reverse-proxy
|
||||
www.eh07 IN CNAME public-reverse-proxy
|
||||
easterhegg2007 IN CNAME public-reverse-proxy
|
||||
www.easterhegg2007 IN CNAME public-reverse-proxy
|
||||
eh2009 IN CNAME public-reverse-proxy
|
||||
www.eh2009 IN CNAME public-reverse-proxy
|
||||
eh09 IN CNAME public-reverse-proxy
|
||||
www.eh09 IN CNAME public-reverse-proxy
|
||||
easterhegg2009 IN CNAME public-reverse-proxy
|
||||
www.easterhegg2009 IN CNAME public-reverse-proxy
|
||||
eh2011 IN CNAME public-reverse-proxy
|
||||
www.eh2011 IN CNAME public-reverse-proxy
|
||||
eh11 IN CNAME public-reverse-proxy
|
||||
www.eh11 IN CNAME public-reverse-proxy
|
||||
easterhegg2011 IN CNAME public-reverse-proxy
|
||||
www.easterhegg2011 IN CNAME public-reverse-proxy
|
||||
eh20 IN CNAME public-reverse-proxy
|
||||
|
||||
oldwiki IN CNAME rproxy
|
||||
nonpublic.wiki IN CNAME rproxy
|
||||
www.nonpublic.wiki IN CNAME rproxy
|
||||
planet IN CNAME rproxy
|
||||
www.planet IN CNAME rproxy
|
||||
chaos-macht-schule IN CNAME rproxy
|
||||
www.chaos-macht-schule IN CNAME rproxy
|
||||
|
||||
branding-resources IN CNAME public-reverse-proxy
|
||||
element IN CNAME public-reverse-proxy
|
||||
matrix IN CNAME public-reverse-proxy
|
||||
mas IN CNAME public-reverse-proxy
|
||||
element-admin IN CNAME public-reverse-proxy
|
||||
netbox IN CNAME public-reverse-proxy
|
||||
woodpecker IN CNAME public-reverse-proxy
|
||||
onlyoffice IN CNAME public-reverse-proxy
|
||||
pad IN CNAME public-reverse-proxy
|
||||
pretalx IN CNAME public-reverse-proxy
|
||||
spaceapi IN CNAME public-reverse-proxy
|
||||
staging IN CNAME public-reverse-proxy
|
||||
wiki IN CNAME public-reverse-proxy
|
||||
www IN CNAME public-reverse-proxy
|
||||
ntfy IN CNAME public-reverse-proxy
|
||||
sunders IN CNAME public-reverse-proxy
|
||||
spaceapiccc IN CNAME public-reverse-proxy
|
||||
acmedns IN CNAME public-reverse-proxy
|
||||
cpuccc IN CNAME public-reverse-proxy
|
||||
did IN CNAME public-reverse-proxy
|
||||
|
||||
|
||||
auth.acmedns IN NS acmedns.hosts.hamburg.ccc.de.
|
||||
|
||||
git IN A 212.12.51.136
|
||||
IN AAAA 2a00:14b0:f000:23:51:136::1
|
||||
git IN MX 10 cow
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.git IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsUGmKDns/qokxyz2u"
|
||||
"lcyKIcs/S+zf+0wHCfhSOK4lLnws8U/wIny5FAW3zM/7TliqIftzZ2B0Cz8W6"
|
||||
"YvmtgLyKqBzvCSG0dNYyy9TVeGM4HyrmLBbUkQdGGQwmoJTnCe9gT9z6GO9k2"
|
||||
"uFfHJsk/iffU75x9iXqLXPGL/CGmLKuBmkYGda2rQ9ATUIpQhIxnerZvVc3RA"
|
||||
"qwD8/pYvMLOqvCStVHM5Zi+j1Jr0BC8mxU8pIY6rfOVt+h/V3wh0F6dL0z9nw"
|
||||
"ZhDE53K8frGp2CC5dW/A37FrfMJv+ODw2tX8EdyL2hDBshBQ4r8WiYJTtIMPL"
|
||||
"50A9UzZndyiLAHoeLrZQIDAQAB")
|
||||
hackertours IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
MX 10 cow.hamburg.ccc.de.
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.hackertours IN TXT ("v=DKIM1;k=rsa;t=s;s=email;"
|
||||
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnG5J6rMvbOy7mmV4mKfN"
|
||||
"7SSrtxKP/jI0XWwO2njO3jM6DkAGDpmRH69B5sOW/53/yg7MMdGytGfNAk61YJknP+"
|
||||
"NGZNSk7F2p2aB+zoksLVcIKdY1YwicYS7l6Q7qWBfv8ctmGTzcwO0UEAizD6xdINN8"
|
||||
"YmhHorgnxR3HbHeUmaxIe4WM2wWRYiD+9tpY1f0O/NEEoHxmFecRhU9SVmuhLgiOyF"
|
||||
"AWpPYBMOsKEHoKREENc+4VBj6H2GYTKIs+dYKDNEmVVdnRkgtAVO3FrjCkedBJ7RbR"
|
||||
"RNHIqdt9u8AF+Vrs1Oq72ZQrNVR0ezEyBScJaxy5JphvBWkMSYSoDpvXLwIDAQAB")
|
||||
staging.hackertours IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
grafana IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
tickets IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
zammad IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
|
||||
loki IN CNAME grafana.hosts
|
||||
metrics IN CNAME grafana.hosts
|
||||
|
||||
|
||||
; chaos macht schule server
|
||||
cms IN A 212.12.51.131
|
||||
www.cms IN CNAME cms
|
||||
schule IN CNAME cms
|
||||
www.schule IN CNAME cms
|
||||
|
||||
; Firewall:
|
||||
ovpn IN A 212.12.48.122
|
||||
fwhh-v6 IN A 212.12.50.214
|
||||
|
||||
; (irc) nat ip
|
||||
chaoscafe IN A 212.12.50.209
|
||||
|
||||
cloud IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
cloud IN MX 10 cow
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.cloud IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvr7XIfOFt99cdEKeP"
|
||||
"Qhz7miwN2tIZF+imJ3p/r/kam0TKN5pbRMDK0HH4Jl8ksBDozXrLo+U71TX+m"
|
||||
"XBBeNca4QSfmJh6cAesibf4v/6ssGBdQR7efc2b3dFvZS5/qdS7oLYqYbGpuv"
|
||||
"aUB0gzhatrAR0i6HdtXrsJxGemda4WvZXaPLPwcWByHLZsHQUbaD3doZOJGXI"
|
||||
"7+HQs9BuDo4PKQs1/mE5BEWQ0ISEKZ4bk1p8U0ZsfcdQ8o9X53Tj+JxvJHgxi"
|
||||
"h7yHMr4y9hCOAkvZTFZ/Z/r3KU+N+t9NrVYm995KEernSxE3MXYIsdaFKBDvX"
|
||||
"Xq837yzJmv7D9S9We3YwIDAQAB")
|
||||
; Mail: hosts.hamburg.ccc.de
|
||||
hosts IN MX 10 cow
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.hosts IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyFnskyCW0420D+5PA"
|
||||
"L6cKmPoZR2nrPaMPiJl0+DbDhnsLdXtt3cKZkAin2GYQRvZJvlcJ3JFkFljmQ"
|
||||
"sZk7BJ02rV7S79DgeFhKMzjE0p/GaMBSdzDZJQEVkKhEK+KBbSfaZ0FM/4Qh0"
|
||||
"beI26kBgbR6bc+SGdB7+LB2JLPxr5ipP0gJ7RtE+QWIoDaU0e9dSYhucJ4A4k"
|
||||
"RMs3ECvcCVgsyhRPJahs8tzbKjhnp956ru6Jda3Yo/ubhy4AztP/7ZQayCv/W"
|
||||
"06PfZNo/i2711F98L2ATQaDsOCKWhpskyrCRcR1nTWNSL7qYhOPD1hZonsd5I"
|
||||
"f5WwrR4meWD3wmXbX29wIDAQAB")
|
||||
; Mail: hosts-external.hamburg.ccc.de
|
||||
external-hosts IN MX 10 cow
|
||||
IN TXT "v=spf1 mx -all"
|
||||
dkim._domainkey.external-hosts IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
|
||||
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkfdJvL7Tpdw6JLkuU"
|
||||
"nOLwtxojWZ5Xq6rLDK3EzrX2Tyeq03nqgQuI3ruHgodHb1D7sieU61x30+g7y"
|
||||
"8HnjrN1bfH1iQJUzEOCgOWHwQEbLdbQxcazmbEdowBuA0VuYrXL2tcCFJwdcZ"
|
||||
"MKZAyuba7leeRgSngZJnesT7aaGvZSuzLa1/KaW4MRbOOmy5LlukBC3EZBpWn"
|
||||
"/dL73spDajlDx4VRMUpZQq/PAoPPwCFdw/HNnzxBYBIdVloeJx91qBRaNyUIb"
|
||||
"C/to8YSDVi2aMHiXhTBfoNd1VcxjlBYWqEZtdUhecUjwmbbAO4f0ECO4bs0Yz"
|
||||
"d/EgJB70ry1quA0MqgZQIDAQAB")
|
||||
|
||||
; for thw:
|
||||
orga IN A 212.12.51.130
|
||||
IN MX 23 nomail.ccc.de.
|
||||
IN MX 42 orga
|
||||
|
||||
shellhost IN A 212.12.51.140
|
||||
IN AAAA 2a00:14b0:f000:23:51:140:0:1
|
||||
IN MX 5 nomail.ccc.de.
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
shells IN CNAME shellhost
|
||||
|
||||
; chaos vpn-hub on haegars hetzner machine
|
||||
vpnhub1 IN A 136.243.3.60
|
||||
IN MX 5 nomail.ccc.de.
|
||||
IN MX 10 mail.sdinet.de.
|
||||
vpnhub1.ipv4 IN A 136.243.3.60
|
||||
vpnhub1-intern IN A 172.31.2.1
|
||||
|
||||
; special
|
||||
ccchh IN MX 5 nomail.ccc.de.
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
office IN CNAME office.hh.ccc.de.
|
||||
officemail IN CNAME officemail.hh.ccc.de.
|
||||
|
||||
template IN A 172.31.17.199
|
||||
IN AAAA 2a00:14b0:f000:23::199
|
||||
IN MX 10 cow.hamburg.ccc.de.
|
||||
|
||||
irc IN A 176.56.239.136
|
||||
IN AAAA 2a00:d880:8:1::1aa
|
||||
IN MX 5 nomail.ccc.de.
|
||||
|
||||
cryptoparty IN CNAME public-reverse-proxy
|
||||
staging.cryptoparty IN CNAME public-reverse-proxy
|
||||
|
||||
; Freifunk Gateways
|
||||
freifunk-gw01 IN CNAME gw01.hamburg.freifunk.net.
|
||||
freifunk-gw02 IN CNAME gw02.hamburg.freifunk.net.
|
||||
freifunk-gw03 IN CNAME gw03.hamburg.freifunk.net.
|
||||
freifunk-gw04 IN CNAME gw04.hamburg.freifunk.net.
|
||||
freifunk-gw05 IN CNAME gw05.hamburg.freifunk.net.
|
||||
freifunk-gw06 IN CNAME gw06.hamburg.freifunk.net.
|
||||
freifunk-gw07 IN CNAME gw07.hamburg.freifunk.net.
|
||||
freifunk-gw08 IN CNAME gw08.hamburg.freifunk.net.
|
||||
freifunk-gw09 IN CNAME gw09.hamburg.freifunk.net.
|
||||
freifunk-gw10 IN CNAME gw10.hamburg.freifunk.net.
|
||||
freifunk-gw11 IN CNAME gw11.hamburg.freifunk.net.
|
||||
freifunk-gw12 IN CNAME gw12.hamburg.freifunk.net.
|
||||
freifunk-gw13 IN CNAME gw13.hamburg.freifunk.net.
|
||||
freifunk-gw14 IN CNAME gw14.hamburg.freifunk.net.
|
||||
freifunk-gw15 IN CNAME gw15.hamburg.freifunk.net.
|
||||
freifunk-gw16 IN CNAME gw16.hamburg.freifunk.net.
|
||||
freifunk-gw17 IN CNAME gw17.hamburg.freifunk.net.
|
||||
freifunk-gw18 IN CNAME gw18.hamburg.freifunk.net.
|
||||
freifunk-gw19 IN CNAME gw19.hamburg.freifunk.net.
|
||||
freifunk-gw20 IN CNAME gw20.hamburg.freifunk.net.
|
||||
|
||||
fftest IN A 212.12.51.135
|
||||
IN AAAA 2a00:14b0:f000:23::135
|
||||
|
||||
; Shellbordell
|
||||
colossus IN A 212.12.51.133
|
||||
|
||||
; generic aliases
|
||||
LAN-212-12-50-208.dmz-net IN A 212.12.50.208
|
||||
ip208 IN A 212.12.50.208
|
||||
ip209 IN A 212.12.50.209
|
||||
ip210 IN A 212.12.50.210
|
||||
ip211 IN A 212.12.50.211
|
||||
ip212 IN A 212.12.50.212
|
||||
ip213 IN A 212.12.50.213
|
||||
ip214 IN A 212.12.50.214
|
||||
ENDE-212-12-50-215.dmz-broadcast IN A 212.12.50.215
|
||||
ip215 IN A 212.12.50.215
|
||||
|
||||
; ChaosVPN
|
||||
hack IN NS cvpn-dns.hack
|
||||
cvpn-dns.hack IN A 172.31.0.5
|
||||
|
||||
; IPv4 Reverse DNS
|
||||
|
||||
122.48.12.212.rdns IN PTR turing.hamburg.ccc.de.
|
||||
123.48.12.212.rdns IN PTR ip-48-123.hamburg.ccc.de.
|
||||
124.48.12.212.rdns IN PTR ip-48-124.hamburg.ccc.de.
|
||||
125.48.12.212.rdns IN PTR public-reverse-proxy.hamburg.ccc.de.
|
||||
126.48.12.212.rdns IN PTR chaosknoten.hamburg.ccc.de.
|
||||
|
||||
208.50.12.212.rdns IN PTR net-12-50-212.hamburg.ccc.de.
|
||||
209.50.12.212.rdns IN PTR turing.hamburg.ccc.de.
|
||||
;210.50.12.212.rdns IN PTR erfafoo.hamburg.ccc.de.
|
||||
211.50.12.212.rdns IN PTR ip-50-12-211.hamburg.ccc.de.
|
||||
213.50.12.212.rdns IN PTR cryptoparty.hamburg.ccc.de.
|
||||
214.50.12.212.rdns IN PTR ip-50-12-214.hamburg.ccc.de.
|
||||
215.50.12.212.rdns IN PTR broadcast-12-15-212.hamburg.ccc.de.
|
||||
|
||||
128.51.12.212.rdns IN PTR net-12-51-128.hamburg.ccc.de.
|
||||
129.51.12.212.rdns IN PTR ip-51-129.hamburg.ccc.de.
|
||||
130.51.12.212.rdns IN PTR ip-51-130.hamburg.ccc.de.
|
||||
131.51.12.212.rdns IN PTR cms.hamburg.ccc.de.
|
||||
132.51.12.212.rdns IN PTR lists.hamburg.ccc.de.
|
||||
133.51.12.212.rdns IN PTR cow.hamburg.ccc.de.
|
||||
134.51.12.212.rdns IN PTR srv01.hamburg.freifunk.net.
|
||||
135.51.12.212.rdns IN PTR fftest.hamburg.ccc.de.
|
||||
136.51.12.212.rdns IN PTR git.hamburg.ccc.de.
|
||||
137.51.12.212.rdns IN PTR ip-51-137.hamburg.ccc.de.
|
||||
138.51.12.212.rdns IN PTR erfafoo.hamburg.ccc.de.
|
||||
139.51.12.212.rdns IN PTR jitsi.hamburg.ccc.de.
|
||||
140.51.12.212.rdns IN PTR ip-51-140.hamburg.ccc.de.
|
||||
141.51.12.212.rdns IN PTR mumble.hamburg.ccc.de.
|
||||
142.51.12.212.rdns IN PTR regio-stage.hamburg.ccc.de.
|
||||
143.51.12.212.rdns IN PTR broadcast-12-15-128.hamburg.ccc.de.
|
||||
|
||||
; hosts.hamburg.ccc.de
|
||||
wiki.hosts IN AAAA 2a00:14b0:42:102::2
|
||||
cloud.hosts IN AAAA 2a00:14b0:42:102::3
|
||||
eh22-wiki.hosts IN AAAA 2a00:14b0:42:102::4
|
||||
pad.hosts IN AAAA 2a00:14b0:42:102::5
|
||||
keycloak.hosts IN AAAA 2a00:14b0:42:102::6
|
||||
onlyoffice.hosts IN AAAA 2a00:14b0:42:102::7
|
||||
renovate.hosts IN AAAA 2a00:14b0:42:102::8
|
||||
sunders.hosts IN AAAA 2a00:14b0:42:102::9
|
||||
mjolnir.hosts IN AAAA 2a00:14b0:42:102::a
|
||||
netbox.hosts IN AAAA 2a00:14b0:42:102::b
|
||||
tickets.hosts IN AAAA 2a00:14b0:42:102::c
|
||||
zammad.hosts IN AAAA 2a00:14b0:42:102::d
|
||||
grafana.hosts IN AAAA 2a00:14b0:42:102::e
|
||||
ccchoir.hosts IN AAAA 2a00:14b0:42:102::f
|
||||
pretalx.hosts IN AAAA 2a00:14b0:42:102::10
|
||||
ntfy.hosts IN AAAA 2a00:14b0:42:102::11
|
||||
spaceapiccc.hosts IN AAAA 2a00:14b0:42:102::12
|
||||
acmedns.hosts IN AAAA 2a00:14b0:42:102::13
|
||||
www2.hosts IN AAAA 2a00:14b0:42:102::14
|
||||
www3.hosts IN AAAA 2a00:14b0:42:102::15
|
||||
diday-staging-runner.hosts IN AAAA 2a00:14b0:42:102::16
|
||||
public-web-static.hosts IN AAAA 2a00:14b0:42:102::17
|
||||
forgejo-actions-runner.hosts IN AAAA 2a00:14b0:42:102::18
|
||||
|
||||
; acme-challenges
|
||||
_acme-challenge.sunders CNAME a5ee8a99-3cdf-4212-972e-c0b6fda1242f.auth.acmedns
|
||||
_acme-challenge.pretalx CNAME 295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
$TTL 7200
|
||||
|
||||
; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr
|
||||
; verwendet, sondern statt dessen local-mail.hamburg.ccc.de
|
||||
; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de
|
||||
; angesprochen, und nimmt daher keine mails mit absender-adressen
|
||||
; die sie nicht kennt an.
|
||||
; ich hoffe diese aenderung arbeitet um diesen bug herum.
|
||||
; - haegar 2001.11.14
|
||||
|
||||
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
|
||||
2024012601
|
||||
10800
|
||||
3600
|
||||
3600000
|
||||
86400 )
|
||||
|
||||
IN NS ns.hamburg.ccc.de.
|
||||
IN NS ns.vie.ccc.de.
|
||||
|
||||
IN MX 5 nomail.ccc.de.
|
||||
; IN MX 10 local-mail.hamburg.ccc.de.
|
||||
IN MX 23 nomail2.ccc.de.
|
||||
IN MX 42 nomail3.ccc.de.
|
||||
|
||||
IN A 212.12.48.125
|
||||
IN AAAA 2a00:14b0:4200:3000:125::1
|
||||
|
||||
localhost IN A 127.0.0.1
|
||||
|
||||
|
||||
; DMZ-Server:
|
||||
dmz-net IN A 212.12.50.208
|
||||
|
||||
turing IN CNAME turing.hamburg.ccc.de.
|
||||
www IN CNAME www.hamburg.ccc.de.
|
||||
|
||||
LAN-212-12-51-128 IN A 212.12.51.128
|
||||
gate IN A 212.12.51.129
|
||||
END-212-12-51-143 IN A 212.12.51.143
|
||||
|
||||
|
||||
; convience and email
|
||||
|
||||
backup IN A 172.31.16.3
|
||||
IN AAAA 2001:6f8:126f:1:16:20:0:3
|
||||
; IN MX 5 nomail.ccc.de.
|
||||
IN MX 10 local-mail.hamburg.ccc.de.
|
||||
|
||||
officemail IN A 172.31.17.131
|
||||
IN MX 5 nomail.ccc.de.
|
||||
; IN MX 10 local-mail.hamburg.ccc.de.
|
||||
IN MX 23 nomail2.ccc.de.
|
||||
IN MX 42 nomail3.ccc.de.
|
||||
|
||||
orga IN CNAME orga.hamburg.ccc.de.
|
||||
|
||||
|
||||
; Die alte World, aka popeye.crew-gmbh.de
|
||||
; Legacy-Names, do not delete
|
||||
world IN A 192.76.134.7
|
||||
IN MX 10 world
|
||||
popeye IN A 192.76.134.7
|
||||
IN MX 10 world
|
||||
uucp IN A 192.76.134.7
|
||||
|
||||
; ChaosVPN
|
||||
hack IN NS cvpn-dns.hack
|
||||
cvpn-dns.hack IN A 172.31.0.5
|
||||
|
||||
|
||||
; tmp test
|
||||
merz.leck.eier IN TXT "kann er mal"
|
||||
|
|
@ -3,7 +3,7 @@
|
|||
# - https://github.com/prometheus/alertmanager/blob/48a99764a1fc9279fc828de83e7a03ae2219abc7/doc/examples/simple.yml
|
||||
|
||||
route:
|
||||
receiver: 'null'
|
||||
receiver: 'ntfy-ccchh'
|
||||
group_by: [ "alertname", "site", "job", "hypervisor" ]
|
||||
group_wait: 30s
|
||||
group_interval: 5m
|
||||
|
|
|
|||
|
|
@ -7,19 +7,14 @@ define if_net1_v4_wan = "net1"
|
|||
define if_net2_v6_wan = "net2"
|
||||
define if_net0_2_v4_nat = "net0.2"
|
||||
define if_net0_3_ci_runner = "net0.3"
|
||||
define if_net0_5_public = "net0.5"
|
||||
|
||||
# Interface Groups
|
||||
define wan_ifs = { $if_net1_v4_wan,
|
||||
$if_net2_v6_wan }
|
||||
define lan_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_3_ci_runner,
|
||||
$if_net0_5_public }
|
||||
define v4_exposed_ifs = { $if_net0_5_public }
|
||||
define v6_exposed_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_5_public }
|
||||
define v4_nat_ifs = { $if_net0_2_v4_nat,
|
||||
$if_net0_3_ci_runner }
|
||||
$if_net0_3_ci_runner }
|
||||
# define v4_exposed_ifs = { }
|
||||
define v6_exposed_ifs = { $if_net0_2_v4_nat }
|
||||
|
||||
|
||||
## Rules
|
||||
|
|
@ -78,7 +73,7 @@ table ip v4nat {
|
|||
chain postrouting {
|
||||
type nat hook postrouting priority srcnat; policy accept;
|
||||
|
||||
iifname $v4_nat_ifs oifname $if_net1_v4_wan masquerade
|
||||
oifname $if_net1_v4_wan masquerade
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -94,7 +89,7 @@ table inet forward {
|
|||
meta nfproto ipv4 iifname $lan_ifs oifname $if_net1_v4_wan accept comment "allow v4 internet access"
|
||||
|
||||
# Allow access to exposed networks from internet.
|
||||
meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
# meta nfproto ipv4 oifname $v4_exposed_ifs accept comment "allow v4 exposed network access"
|
||||
meta nfproto ipv6 oifname $v6_exposed_ifs accept comment "allow v6 exposed network access"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
[NetDev]
|
||||
Name=net0.5
|
||||
Kind=vlan
|
||||
|
||||
[VLAN]
|
||||
Id=5
|
||||
|
|
@ -7,6 +7,6 @@ RequiredForOnline=no
|
|||
[Network]
|
||||
VLAN=net0.2
|
||||
VLAN=net0.3
|
||||
VLAN=net0.5
|
||||
|
||||
LinkLocalAddressing=no
|
||||
|
||||
|
|
|
|||
|
|
@ -1,23 +0,0 @@
|
|||
[Match]
|
||||
Name=net0.5
|
||||
Type=vlan
|
||||
|
||||
[Link]
|
||||
RequiredForOnline=no
|
||||
|
||||
[Network]
|
||||
Description=public
|
||||
|
||||
# Masquerading done in nftables (nftables.conf).
|
||||
IPv6SendRA=yes
|
||||
|
||||
[Address]
|
||||
Address=212.12.50.209/29
|
||||
|
||||
[IPv6SendRA]
|
||||
UplinkInterface=net2
|
||||
|
||||
[IPv6Prefix]
|
||||
Prefix=2a00:14b0:42:105::/64
|
||||
Assign=true
|
||||
Token=static:::1
|
||||
|
|
@ -1,11 +1,4 @@
|
|||
---
|
||||
- name: Ensure systemd-resolved is installed
|
||||
tags: [ "deploy_systemd_resolved_config" ]
|
||||
become: true
|
||||
when: ansible_facts["distribution"] == "Debian"
|
||||
ansible.builtin.package:
|
||||
name: [ "systemd-resolved" ]
|
||||
|
||||
- name: Deploy systemd-resolved config
|
||||
tags: [ "deploy_systemd_resolved_config" ]
|
||||
become: true
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
---
|
||||
knot__remotes: [ ]
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
---
|
||||
- name: reload knot
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: knot.service
|
||||
state: reloaded
|
||||
|
||||
- name: netplan apply
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
changed_when: true
|
||||
ansible.builtin.command: "netplan apply"
|
||||
|
||||
- name: restart knot-exporter
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: knot-exporter.service
|
||||
state: restarted
|
||||
daemon_reload: true
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
---
|
||||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
knot__dnssec_key_id:
|
||||
description: The id of the TSIG key which knot will use for zone transfer signing
|
||||
type: str
|
||||
required: true
|
||||
knot__dnssec_key_secret:
|
||||
description: The secret value of the TSIG key which knot will use for zone transfer signing
|
||||
type: str
|
||||
required: true
|
||||
knot__remotes:
|
||||
description:
|
||||
- A list of definitions for remote nameservers that are used for different purposes
|
||||
- See https://www.knot-dns.cz/docs/latest/html/reference.html#remote-section for details
|
||||
type: list
|
||||
elements: dict
|
||||
required: false
|
||||
options:
|
||||
id:
|
||||
type: str
|
||||
required: true
|
||||
address:
|
||||
type: list
|
||||
required: true
|
||||
elements: str
|
||||
knot__catalog_zones:
|
||||
description: A list of catalog zones that will be served by knot
|
||||
type: list
|
||||
elements: dict
|
||||
required: true
|
||||
options:
|
||||
domain:
|
||||
type: str
|
||||
required: true
|
||||
notify_targets:
|
||||
type: list
|
||||
elements: str
|
||||
required: false
|
||||
knot__zones:
|
||||
description: A list of user zones that will be served by knot
|
||||
type: list
|
||||
elements: dict
|
||||
required: true
|
||||
options:
|
||||
domain:
|
||||
type: str
|
||||
required: true
|
||||
notify_targets:
|
||||
type: list
|
||||
elements: str
|
||||
required: false
|
||||
catalog_member:
|
||||
type: str
|
||||
required: false
|
||||
content:
|
||||
type: str
|
||||
required: true
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- name: Install knot
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- knot
|
||||
- knot-exporter
|
||||
- knot-dnssecutils
|
||||
- knot-dnsutils
|
||||
- knot-host
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
---
|
||||
- name: Ensure required directories exist
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
loop: [ "/etc/knot", "/etc/knot/zones" ]
|
||||
ansible.builtin.file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: u=rwx,g=rx,o=
|
||||
|
||||
- name: Deploy knot configuration file
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
notify: reload knot
|
||||
ansible.builtin.template:
|
||||
src: knot.conf.j2
|
||||
dest: /etc/knot/knot.conf
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: u=rw,g=r,o=
|
||||
|
||||
- name: Deploy configured zones
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
notify: reload knot
|
||||
loop: "{{ knot__zones }}"
|
||||
loop_control:
|
||||
label: "{{ item.domain }}"
|
||||
vars:
|
||||
zone_content: "{{ item.content }}"
|
||||
ansible.builtin.template:
|
||||
src: zone.j2
|
||||
dest: "/etc/knot/zones/{{ item.domain }}zone"
|
||||
owner: knot
|
||||
group: knot
|
||||
mode: u=rw,g=r
|
||||
|
||||
# this seems weird but hear me out:
|
||||
# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements
|
||||
# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one.
|
||||
# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled
|
||||
- name: Disable IPv6 SLAAC
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
notify: netplan apply
|
||||
ansible.builtin.template:
|
||||
src: "netplan-disable-ra.yaml"
|
||||
dest: "/etc/netplan/10-disable-ra.yaml"
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
- name: Deploy knot-exporter systemd unit
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
register: knot_deploy_service_file
|
||||
notify: restart knot-exporter
|
||||
ansible.builtin.template:
|
||||
src: knot-exporter.service.j2
|
||||
dest: /etc/systemd/system/knot-exporter.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=r,o=r
|
||||
|
||||
- name: Ensure knot-exporter is running and enabled
|
||||
tags: [ auth-dns ]
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: knot-exporter.service
|
||||
state: started
|
||||
enabled: true
|
||||
daemon_reload: "{{ knot_deploy_service_file.changed }}"
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
- ansible.builtin.import_tasks: 01-install.yaml # noqa: name[missing]
|
||||
- ansible.builtin.import_tasks: 02-configure.yaml # noqa: name[missing]
|
||||
- ansible.builtin.import_tasks: 03-configure-exporter.yaml # noqa: name[missing]
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
[Unit]
|
||||
Description=knot prometheus exporter
|
||||
Wants=network.target
|
||||
Before=alloy.service
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
User=knot
|
||||
ExecStart=/usr/sbin/knot-exporter
|
||||
ReadWritePaths=/run/knot/
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
PrivateIPC=true
|
||||
|
||||
|
|
@ -1,95 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
# See knot.conf(5) or refer to the server documentation.
|
||||
|
||||
server:
|
||||
rundir: "/run/knot"
|
||||
user: knot:knot
|
||||
automatic-acl: on
|
||||
listen: [ "0.0.0.0@53", "::@53" ]
|
||||
|
||||
log:
|
||||
- target: syslog
|
||||
any: info
|
||||
|
||||
database:
|
||||
storage: "/var/lib/knot"
|
||||
|
||||
key:
|
||||
- id: {{ knot__dnssec_key_id }}
|
||||
algorithm: hmac-sha512
|
||||
secret: "{{ knot__dnssec_key_secret }}"
|
||||
|
||||
remote:
|
||||
# static, external and public remote used for DNSSEC KSK checking
|
||||
- id: quad9
|
||||
address: "2620:fe::fe"
|
||||
{% if knot__remotes -%}
|
||||
# additional remotes used in the config
|
||||
{% for i_remote in knot__remotes -%}
|
||||
- id: "{{ i_remote.id }}"
|
||||
address: [ {% for i_addr in i_remote.address %}"{{ i_addr}}"{% if not loop.last %},{% endif %} {% endfor %} ]
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# define how the presence of parent KSK keys is checked
|
||||
# in this case, we just ask quad9 which is an open resolver
|
||||
submission:
|
||||
- id: default
|
||||
parent: quad9
|
||||
parent-delay: 1h
|
||||
|
||||
# define how dnssec signing is done
|
||||
# in this case we don't do anything special but teach knot how to check for KSK presence
|
||||
policy:
|
||||
- id: default
|
||||
ksk-submission: default
|
||||
nsec3: true
|
||||
nsec3-salt-length: 0
|
||||
|
||||
# define default settings that apply to all zones
|
||||
template:
|
||||
# template for general-purpose user zones
|
||||
- id: default
|
||||
storage: "/etc/knot/zones"
|
||||
file: "%s.zone"
|
||||
semantic-checks: on
|
||||
zonefile-sync: -1
|
||||
zonefile-load: difference-no-serial
|
||||
serial-policy: dateserial
|
||||
journal-content: all
|
||||
default-ttl: 7200
|
||||
dnssec-signing: on
|
||||
dnssec-policy: default
|
||||
|
||||
{# catalog-role: member #}
|
||||
{# catalog-zone: hamburg.ccc.de.catalog. #}
|
||||
|
||||
# template for automatically created special zones
|
||||
- id: catalog
|
||||
catalog-role: generate
|
||||
dnssec-signing: on
|
||||
dnssec-policy: default
|
||||
|
||||
|
||||
# define zones on this server
|
||||
# See https://www.knot-dns.cz/docs/3.4/html/reference.html#zone-section
|
||||
zone:
|
||||
# catalog zones
|
||||
{% for i_zone in knot__catalog_zones -%}
|
||||
- domain: "{{ i_zone.domain }}"
|
||||
template: catalog
|
||||
notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
|
||||
{% endfor %}
|
||||
|
||||
# normal zones
|
||||
{% for i_zone in knot__zones -%}
|
||||
- domain: "{{ i_zone.domain }}"
|
||||
template: default
|
||||
notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
|
||||
{% if i_zone.catalog_member | default(False) -%}
|
||||
catalog-role: member
|
||||
catalog-zone: "{{ i_zone.catalog_member }}"
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
network:
|
||||
ethernets:
|
||||
{%- for i_iface_name in ansible_interfaces -%}
|
||||
{%- if i_iface_name != "lo" -%}
|
||||
{%- set i_iface = ansible_facts[i_iface_name] %}
|
||||
|
||||
{{ i_iface_name }}:
|
||||
match:
|
||||
macaddress: "{{ i_iface.macaddress }}"
|
||||
accept-ra: false
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
; {{ ansible_managed }}
|
||||
|
||||
{{ zone_content }}
|
||||
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
- name: Reload nftables service
|
||||
- name: Restart nftables service
|
||||
ansible.builtin.systemd_service:
|
||||
name: nftables
|
||||
state: reloaded
|
||||
state: restarted
|
||||
become: true
|
||||
|
|
|
|||
|
|
@ -12,4 +12,4 @@
|
|||
owner: root
|
||||
group: root
|
||||
become: true
|
||||
notify: Reload nftables service
|
||||
notify: Restart nftables service
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue