CCCHH/ansible-infra
CCCHH/ansible-infra
2
2
Fork 1
Code Issues 6 Pull requests 9 Wiki Activity Actions

WIP: Implement new authoritative DNS #87

Draft
lilly wants to merge 6 commits from new-auth-dns into main
pull from: new-auth-dns
merge into: CCCHH:main
Conversation 0 Commits 6 Files changed 32 +1511 -2
32 changed files with 1511 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

5
inventories/chaosknoten/host_vars/auth-dns.sops.yaml
View file

@ -1,4 +1,5 @@
ansible_pull__age_private_key: ENC[AES256_GCM,data:2kBG8j8JHa/dlXgWMdbSobulFdVunf052T1QQfm1X2vpEZx2HPCL87fWea+O0WOg7+eoMYbiShu0Vw1eTjb+687LjU8l4cj2JWIajnYfDGH+ipWXojxj613C3RZV3JfDOclVTwP8fCHu7z7P3fKrsKWb5d3t2ohTT+sGdVdimakAOf192CkufcVIthq2imiWbntiMTOdMGJxyIjqT2Io2H89nSbJXkONsuHCF/PbxhryB2LZbl8aZV32knk=,iv:hpscVc7iO4r/h31vS6Zno2pkEsgA2uR7wD/1PjH1znM=,tag:ypiwFtgeXuj4gOsgTCRTBw==,type:str]
knot__dnssec_key_secret: ENC[AES256_GCM,data:WPFTLyJIttFtqqTZV2fGN0Tt1vRS318TGmd2YqNzYisE3TBi6Z2aClxuYh56Q+j7TUQwCvga3jd5w017sEz3kA==,iv:umaFHBCy9AZgNFv7uXLCtO0o/NZDAZ1QNg5DcGHWEW8=,tag:oR92C1Uj5iXU9L02MqzGSQ==,type:str]
sops:
age:
- recipient: age18zgt4y2sd75hxnpe333zz39048ctxpr0q8a3uqh3jajjkyawsdrq8yg5ve
@ -10,8 +11,8 @@ sops:
MEZQTHZXNExsSnl0WW9Vb29sajE1YzAKoYU7rGuR+52+U02uf3eTH9hkIECWdcJv
wN9JTwsUn0c6mi/d4AHgv5O04Uw7NxUyGVmFlDZzjxLwPzZyR73SvA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-29T19:21:55Z"
mac: ENC[AES256_GCM,data:RLXsIsSdrCuElYQ3x2YpwYzQx0V0zoYP6h9FLD+RqmZ1pWhlk6Ijp9WxCAlEWps9n5rPYYyhZ3ldSJluTVeroPwpzrmwW+xXCGsCC0BFk6PuB4UynfHwWR/3jEK47nAdPbNfONhzGfOeTObYp22c3iHiKL8YochOSlBToA8mFr4=,iv:fZZEa3C/BsNKGdTKlR/hexrzhmLxiMVxgL9nXjX2Q1E=,tag:I5M8SNbSw4w1crsl0z/5+Q==,type:str]
lastmodified: "2026-05-01T17:08:09Z"
mac: ENC[AES256_GCM,data:TaMWf1ESs8nYzxkElMYtsz+/Be0PtI7FA0q6IFK+ob4dl/EN+AeTD7Pp0MZF8zcRvZ4hF0Ybimet5bwVR+d7UIXlXz3qP//pX68JDCvcLMQuhNtm6Ws+mwVxkpxEvBr1PtxlSvcQ76vH3ryEsXkP84gmlCDEdX1GAZYZ9ZS3Cfk=,iv:g3tzUfTPNUQyOAxWJEFPHg0IAPAzQgwYABHm4mFOOrI=,tag:C6KE/bg/3jS7Wc56y6YOJQ==,type:str]
pgp:
- created_at: "2026-04-29T19:18:43Z"
enc: |-

19
inventories/chaosknoten/host_vars/auth-dns.yaml Normal file
View file

@ -0,0 +1,19 @@
---
deploy_systemd_resolved_config__enable: false
knot__dnssec_key_id: "auth-dns.hamburg.ccc.de-1"
knot__remotes:
- id: ns-intern.hamburg.ccc.de
address: [ "2a00:14b0:f000:23::53", "172.31.17.53" ]
knot__catalog_zones:
- domain: "hamburg.ccc.de.catalog."
knot__zones:
# - domain: "hamburg.ccc.de."
# catalog_member: "hamburg.ccc.de.catalog."
# content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone') }}"
- domain: "hh.ccc.de."
catalog_member: "hamburg.ccc.de.catalog."
notify_targets: [ "ns-intern.hamburg.ccc.de" ]
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone') }}"

5
playbooks/deploy.yaml
View file

@ -101,3 +101,8 @@
- name: Run ensure_eh22_styleguide_dir Playbook
ansible.builtin.import_playbook: ensure_eh22_styleguide_dir.yaml
- name: Setup authoritative dns servers
hosts: auth-dns
roles:
- auth_dns

13
resources/chaosknoten/auth-dns/docker_compose/compose.yaml.j2 Normal file
View file

@ -0,0 +1,13 @@
# Links & Resources
# https://www.knot-dns.cz/docs/latest/html/index.html
services:
knot:
image: docker.io/cznic/knot:v3.5.4
restart: unless-stopped
command: "knotd"
network_mode: host
volumes:
- ./configs:/config:ro
- ./storage:/storage

12
resources/chaosknoten/auth-dns/zones/0.0.127.in-addr.arpa.zone Normal file
View file

@ -0,0 +1,12 @@
$ORIGIN 0.0.127.in-addr.arpa.
$TTL 7200
@ 1D IN SOA localhost. root.localhost. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS localhost.
1 1D IN PTR localhost.

11
resources/chaosknoten/auth-dns/zones/127.0.0.zone Normal file
View file

@ -0,0 +1,11 @@
$ORIGIN 0.0.127.in-addr.arpa.
@ 1D IN SOA localhost. root.localhost. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS localhost.
1 1D IN PTR localhost.

10
resources/chaosknoten/auth-dns/zones/168.192.in-addr.arpa.zone Normal file
View file

@ -0,0 +1,10 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. hostmaster.ccc.de. (
2016111701
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.

49
resources/chaosknoten/auth-dns/zones/17.31.172.in-addr.arpa.zone Normal file
View file

@ -0,0 +1,49 @@
$TTL 7200
@ IN SOA ns-intern.hamburg.ccc.de. haegar.ccc.de. (
2025020101
10800
3600
3600000
86400 )
IN NS ns-intern.hamburg.ccc.de.
1 IN PTR turing-vzhost.hamburg.ccc.de.
14 IN PTR attraktor-intern.hamburg.ccc.de.
53 IN PTR ns-intern.hamburg.ccc.de.
122 IN PTR oldturing.hamburg.ccc.de.
129 IN PTR turing-router.hamburg.ccc.de.
131 IN PTR officemail.hh.ccc.de.
132 IN PTR turing-new.hamburg.ccc.de.
133 IN PTR gitlab-intern.hamburg.ccc.de.
134 IN PTR jabber-intern.hamburg.ccc.de.
135 IN PTR turing-db.hamburg.ccc.de.
136 IN PTR chaosvpn-dns.hamburg.ccc.de.
137 IN PTR attraktor-intern2.hamburg.ccc.de.
138 IN PTR gitlab-test-intern.hamburg.ccc.de.
139 IN PTR gitlab-runner.hamburg.ccc.de.
142 IN PTR turing-intern2.hamburg.ccc.de.
143 IN PTR cloud-intern.hamburg.ccc.de.
144 IN PTR keycloak-intern.hamburg.ccc.de.
145 IN PTR grafana-intern.hamburg.ccc.de.
146 IN PTR wiki-intern.hamburg.ccc.de.
147 IN PTR onlyoffice-intern.hamburg.ccc.de.
148 IN PTR tickets-intern.hamburg.ccc.de.
149 IN PTR netbox-intern.hamburg.ccc.de.
150 IN PTR matrix-intern.hamburg.ccc.de.
151 IN PTR public-web-static-intern.hamburg.ccc.de.
152 IN PTR zammad-intern.hamburg.ccc.de.
153 IN PTR ns-intern2.hamburg.ccc.de.
156 IN PTR ccchoir-intern.hamburg.ccc.de.
157 IN PTR pretalx-intern.hamburg.ccc.de.
163 IN PTR renovate-forgejo.hamburg.ccc.de
180 IN PTR rproxy-intern.hamburg.ccc.de.
199 IN PTR template.hamburg.ccc.de.
201 IN PTR cow-intern.hamburg.ccc.de.
202 IN PTR forgejo-runner-builder.hamburg.ccc.de.
202 IN PTR forgejo-runner-ubuntu.hamburg.ccc.de.
204 IN PTR eh22hub-intern.hamburg.ccc.de.
212 IN PTR eh20-intern.hamburg.ccc.de.
213 IN PTR cryptoparty-intern.hamburg.ccc.de.
254 IN PTR chaosknoten.hamburg.ccc.de.

16
resources/chaosknoten/auth-dns/zones/2.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone Normal file
View file

@ -0,0 +1,16 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2023073001
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:122::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR turing.hamburg.ccc.de.

43
resources/chaosknoten/auth-dns/zones/3.2.0.0.0.0.0.f.0.b.4.1.0.0.a.2.ip6.arpa.zone Normal file
View file

@ -0,0 +1,43 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2025020102
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; ccchh firewall / tunnelendpunkte:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR fwhh.hamburg.ccc.de.
6.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR jabber.hamburg.ccc.de.
3.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns.hamburg.ccc.de.
0.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR rproxy.hamburg.ccc.de.
2.2.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR oldturing.hamburg.ccc.de.
3.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR gitlab-intern.hamburg.ccc.de.
5.3.1.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR fftest.hamburg.ccc.de.
4.1.0.0.0.0.0.0.0.0.0.0.8.4.0.0 IN PTR wiki.attraktor.org.
1.0.0.0.0.0.0.0.0.1.2.0.0.5.0.0 IN PTR lokal.ccc.de.
1.0.0.0.0.0.0.0.2.1.2.0.0.5.0.0 IN PTR eh20.hamburg.ccc.de.
1.0.0.0.0.0.0.0.3.1.2.0.0.5.0.0 IN PTR cryptoparty.hamburg.ccc.de.
1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0 IN PTR shellhost.hamburg.ccc.de.
1.0.0.0.0.0.0.0.0.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de.
1.0.0.0.0.0.0.0.1.3.1.0.1.5.0.0 IN PTR cms.hamburg.ccc.de.
1.0.0.0.0.0.0.0.2.3.1.0.1.5.0.0 IN PTR lists.hamburg.ccc.de.
1.0.0.0.0.0.0.0.3.3.1.0.1.5.0.0 IN PTR cow.hamburg.ccc.de.
1.0.0.0.0.0.0.0.4.3.1.0.1.5.0.0 IN PTR srv01.hamburg.freifunk.net.
1.0.0.0.0.0.0.0.5.3.1.0.1.5.0.0 IN PTR fftest.hamburg.ccc.de.
1.0.0.0.0.0.0.0.6.3.1.0.1.5.0.0 IN PTR git.hamburg.ccc.de.
1.0.0.0.0.0.0.0.7.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de.
1.0.0.0.0.0.0.0.8.3.1.0.1.5.0.0 IN PTR unallocated.hamburg.ccc.de.
1.0.0.0.0.0.0.0.9.3.1.0.1.5.0.0 IN PTR jitsi.hamburg.ccc.de.
1.0.0.0.0.0.0.0.0.4.1.0.1.5.0.0 IN PTR shells.hamburg.ccc.de.
1.0.0.0.0.0.0.0.1.4.1.0.1.5.0.0 IN PTR mumble.hamburg.ccc.de.
1.0.0.0.0.0.0.0.2.4.1.0.1.5.0.0 IN PTR regio-stage.hamburg.ccc.de.
1.0.0.0.0.0.0.0.4.0.2.0.1.5.0.0 IN PTR eh22hub.hamburg.ccc.de.
1.0.0.0.0.0.0.0.5.0.2.0.1.5.0.0 IN PTR eh22hub-meta.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/3.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone Normal file
View file

@ -0,0 +1,15 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2023072900
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:123::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/4.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone Normal file
View file

@ -0,0 +1,15 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2023072900
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:124::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR unused.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/5.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone Normal file
View file

@ -0,0 +1,15 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2023072900
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:125::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR public-reverse-proxy.hamburg.ccc.de.

15
resources/chaosknoten/auth-dns/zones/6.2.1.0.0.0.0.3.0.0.2.4.0.b.4.1.0.0.a.2.ip6.arpa.zone Normal file
View file

@ -0,0 +1,15 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2023073001
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
; 2a00:14b0:4200:3000:126::1
1.0.0.0.0.0.0.0.0.0.0.0 IN PTR chaosknoten.hamburg.ccc.de.

93
resources/chaosknoten/auth-dns/zones/Makefile Normal file
View file

@ -0,0 +1,93 @@
CHANGED = $(shell git diff --name-only --relative -- '*.zone' )
export GIT_AUTHOR_NAME = "Bind Makefile"
#export GIT_AUTHOR_EMAIL = "$(shell whoami)@$(shell hostname -f)"
#export GIT_COMMITTER_NAME = $(GIT_AUTHOR_NAME)
#export GIT_COMMITTER_EMAIL = $(GIT_AUTHOR_EMAIL)
all: rollover
install: rollover
rollover: autoserial diff check reload eof
diff:
@echo "Diff Zones... "
@git diff -U0 -- $(CHANGED) \
| grep -a -v -E '^(diff |index |---|@@)' \
| sed -e 's/^[+]* .\/\([^ ]*\).*/=> \1/'
autoserial:
@for file in $(CHANGED); do \
perl -p -i -e 'if ($$p =~ /[\t\s]+IN[\t\s]+SOA[\t\s]+/) { $$stamp = sprintf("%4.4d%02.2d%02.2d", (localtime)[5]+1900, (localtime)[4]+1, (localtime)[3]); $$count = (/$$stamp([0-9]{2})/)? $$1 + 1: 1; s/[0-9]+/sprintf("%s%02.2d", $$stamp, $$count)/e; } $$p = $$_;' $$file; \
done
check:
@echo "Checking Configs... "
@if ! named-checkconf /etc/bind/named.conf; then \
echo "FIX THE ERROR AND TRY AGAIN"; \
exit 1 ; \
fi
@echo "Checking Zones... "
@named-checkconf -j -p /etc/bind/named.conf \
| perl -e 'my $$zone = ""; while (<>) { if (/^\s+zone\s+\"(.*)\"/) { $$zone = $$1; } elsif (($$zone ne "") && /^\s+file\s+\"(.*?)\"/) { print "$$zone $$1\n"; $$zone = ""; } }' \
| sort \
| uniq \
| while read zone file; do \
echo "FOO: zone: $$zone file: $$file"; \
if [ -z "$$file" -o "$$zone" = "key" ] ; then \
continue ; \
fi ; \
if echo -n "$$zone" | grep -q -E '(sc-eur.com|db.root|named.dump|named.stats)'; then \
continue; \
fi; \
if ! named-checkzone -q -i "full" $$zone $$file; then \
named-checkzone -i "full" $$zone $$file; \
echo "FIX THE ERROR AND TRY AGAIN"; \
exit 1 ; \
fi; \
done
#@echo "Checking CNAMEs and PTRs... "
#@grep -l -E '.*(PTR|CNAME).*[^.]*[.][^.]*[^.]$$' *.* \
#| grep -v '\.sh$$' \
#| while read file; do \
# echo "$$file: DO NOT FORGET THE LAST DOT"; \
# grep -E '.*(PTR|CNAME).*[^.]*[.][^.]*[^.]$$' $$file; \
# exit 1 ; \
#done
reload:
@while [ "$$answer" = "" ]; do \
echo -n "Do you want to reload all zones ? [yes] "; \
read answer; \
case $$answer in \
[Yy]|[Yy][Ee][Ss]) \
answer="yes"; \
break; \
;; \
[Nn]|[Nn][Oo]) \
answer="no"; \
break; \
;; \
"") \
answer="yes"; \
break; \
;; \
*) \
answer=""; \
;; \
esac; \
done; \
if [ "$$answer" = "yes" ]; then \
etckeeper commit "Changed DNS Zones: $(CHANGED)" ; \
rndc reload; \
else \
echo "Server reload aborted"; \
exit 1 ; \
fi
eof:
@echo "DONE -- That's all folks!"

72
resources/chaosknoten/auth-dns/zones/ccchh.net.zone Normal file
View file

@ -0,0 +1,72 @@
$ORIGIN .
$TTL 900 ; 15 minutes
ccchh.net IN SOA ns1.ccchh.net. noreply.ccchh.net. (
2026042801 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
7200 ; minimum (2 hours)
)
NS ns.vie.ccc.de.
NS ns.hamburg.ccc.de.
$ORIGIN ccchh.net.
aes A 212.12.48.125
club-assistant AAAA 2a07:c481:1:d0::a
;_acme-challenge.club-assistant CNAME d50ad73a-f82d-4244-87f0-6f5195b37d21.auth.acmedns.hamburg.ccc.de
club-assistant.z9 AAAA 2a07:c481:1:d0::a
;_acme-challenge.club-assistant.z9 CNAME 0efa74d1-7dcd-478b-bdc5-5b76d0f07642.auth.acmedns.hamburg.ccc.de
esphome AAAA 2a07:c481:1:d0::66
esphome.z9 AAAA 2a07:c481:1:d0::66
zigbee2mqtt A 185.161.129.132
light AAAA 2a07:c481:1:d0::16
_acme-challenge.light CNAME e59f55ee-9013-469d-a146-a159721b6fea.auth.acmedns.hamburg.ccc.de.
light.z9 AAAA 2a07:c481:1:d0::16
_acme-challenge.light.z9 CNAME 3bc9e7ce-03dd-4533-a059-b5d38407eaa5.auth.acmedns.hamburg.ccc.de.
light-werkstatt AAAA 2a07:c481:1:d0::16
_acme-challenge.light-werkstatt CNAME f408acc0-d9f5-4525-bb01-28938e3bb7d0.auth.acmedns.hamburg.ccc.de.
mailserver-endpoint A 82.165.121.46
ns1 A 185.161.129.133
send-only-mail MX 10 send-only-mailserver
TXT "v=spf1 mx -all"
send-only-mailserver A 82.165.121.46
send-only-mailserver-access A 185.161.129.132
thinkcccore0 AAAA 2a07:c481:1:f2::3
thinkcccore0.z9 AAAA 2a07:c481:1:f2::3
thinkcccore1 AAAA 2a07:c481:1:f2::4
thinkcccore1.z9 AAAA 2a07:c481:1:f2::4
opnsense AAAA 2a07:c481:1:f2::1
opnsense.z9 AAAA 2a07:c481:1:f2::1
pbs AAAA 2a07:c481:1:f2::4
thinkcccore2 AAAA 2a07:c481:1:f2::5
thinkcccore2.z9 AAAA 2a07:c481:1:f2::5
thinkcccore3 AAAA 2a07:c481:1:f2::6
thinkcccore3.z9 AAAA 2a07:c481:1:f2::6
miniscccore0 AAAA 2a07:c481:1:f2::9
miniscccore0.z9 AAAA 2a07:c481:1:f2::9
uptime-kuma A 185.161.129.132
status AAAA 2a07:c481:1:ce::a
status.z9 AAAA 2a07:c481:1:ce::a
wiki A 212.12.48.125
hmdooris-ccu A 10.31.208.202
buba A 10.31.211.137
buba.z9 A 10.31.211.137
dooris AAAA 2a07:c481:1:d0::1c
_acme-challenge.dooris CNAME 37caae1f-b77f-4eb1-aa71-dc3f7ed24360.auth.acmedns.hamburg.ccc.de
waybackproxy A 10.31.208.99
yate A 10.31.208.12
staubiv2 A 10.31.210.233
staubiv2.z9 A 10.31.210.233
; Mail: hosts.z9.ccchh.net
hosts.z9 MX 10 cow.hamburg.ccc.de
TXT "v=spf1 mx -all"
dkim._domainkey.hosts.z9 TXT ("v=DKIM1;k=rsa;t=s;s=email;"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsdypQ/tlrzto5KVP"
"5o7tEblXK/hOVRFB683uODzo26XTFMSRGjumMuo/tej59GMePdUu0uIsdq8hfj8"
"ot0R2OQNazdyp4NW4TUWfFGJ4S2f6LR3lE3I5Lw7fHiYHz0GnCGTqZIItkHK+xQ"
"i5Fdhwd1YbFJtO0XiZ0jY5w6pvny6pEH8WaKX85rEmz2zqCtpiYPRPmoK/Tn+rV"
"2e8fVioMRm9W8E4PU42WLds66qOkFR0KjKIavE6y7JahESEoVGcVnSPdtMOX0Ln"
"KbSMQNrTvNbBoPdLYvNaXOw7TmVPKjDV+FRCIIdK+m0fL82/vm5jPBvDr5+WlM1"
"xV/P/KlSnQIDAQAB")
$ORIGIN send-only-mail.ccchh.net.
_dmarc TXT "v=DMARC1;p=quarantine;"
key._domainkey TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqduM4+SQ+IQ2uAxbjFkd+0hAjohTgT3nM76jyrWGHJ8TizNU2PGkta0NjCq+m9VLBZUjIJphW2vrnlJsnN0JkGAdoLBL3Qs0kShT6V+xsxslZG2KHApihnJUp34tPSMES+aTnD+jEPGyxFLeoiK+3gywNhCGalHSQ+G88Z2n59wIDAQAB"

27
resources/chaosknoten/auth-dns/zones/eh20.easterhegg.eu.zone Normal file
View file

@ -0,0 +1,27 @@
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. mail.hamburg.ccc.de. (
2025021101
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
IN MX 5 nomail.ccc.de.
;IN MX 10 local-mail.hamburg.ccc.de.
IN MX 10 vworker02.irz42.net.
IN MX 23 nomail2.ccc.de.
IN MX 42 nomail3.ccc.de.
IN TXT "v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all"
IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
localhost IN A 127.0.0.1
* IN CNAME @
www IN CNAME @

45
resources/chaosknoten/auth-dns/zones/eh22.easterhegg.eu.zone Normal file
View file

@ -0,0 +1,45 @@
$TTL 600
@ IN SOA ns.hamburg.ccc.de. mail.hamburg.ccc.de. (
2026033101
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
IN MX 10 cow.hamburg.ccc.de.
;autodiscover IN CNAME cow.hamburg.ccc.de.
;_autodiscover._tcp IN SRV 10 cow.hamburg.ccc.de. 443
;autoconfig IN CNAME cow.hamburg.ccc.de
IN TXT "v=spf1 mx ip4:144.76.16.19/32 ip4:212.12.51.133/32 ip6:2a01:4f8:191:331::2/128 ip6:2a00:14b0:f000:23:51:133:0:1/128 ~all"
;_dmarc IN TXT **TODO**
dkim._domainkey IN TXT ( "v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkqhk"
"iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqoWo7mbis3REqBURP3ZQZwOY7RSsS7"
"TY9eFHvW/O83YseEHoIQmeKkHj1lRrP+6Jhow2XngveBzt/m5AQclLVMURt5"
"2zsLCtiXxOYMLIIAgFOfxGjMdfqh9+X0wuOqHgoZiP2uBfAWLKfV/CZcovI/"
"0d2d7vQvc+7PJwZ9htoIu3NesasOFsrhv1yfFJidC87focQdaVKfD9cF68/w"
"2Ri2TGzcSQHAiIxJq3MgawSJZiyVD+psZdzZDB1YIw8NJxmDskzFicTLrYyH"
"8XOf5f5lOWjRYrfe0H8sAe1NBb/OP2T7Qs3S9DQosMSPwyALC3FPZKsVMbtI"
"mr8F+J+M/H9QIDAQAB" )
localhost IN A 127.0.0.1
intern IN A 172.31.17.212
cfp IN CNAME public-reverse-proxy.hamburg.ccc.de.
_acme-challenge.cfp CNAME 295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns.hamburg.ccc.de.
netbox IN CNAME public-reverse-proxy.hamburg.ccc.de.
presale IN A 78.47.203.122
IN AAAA 2a01:4f8:1c17:b147::2
pretix IN A 78.47.203.122
IN AAAA 2a01:4f8:1c17:b147::2
engel IN A 167.235.129.15
IN AAAA 2a01:4f8:1c1b:e967::1
radius IN A 94.45.254.130

590
resources/chaosknoten/auth-dns/zones/hamburg.ccc.de.zone Normal file
View file

@ -0,0 +1,590 @@
; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr
; verwendet, sondern statt dessen local-mail.hamburg.ccc.de
; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de
; angesprochen, und nimmt daher keine mails mit absender-adressen
; die sie nicht kennt an.
; ich hoffe diese aenderung arbeitet um diesen bug herum.
; - haegar 2001.11.14
$TTL 7200
@ IN SOA ns.hamburg.ccc.de. haegar.ccc.de. (
2026042903
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
$TTL 60
IN MX 10 cow.hamburg.ccc.de.
; IN MX 10 local-mail.hamburg.ccc.de.
$TTL 7200
IN TXT "v=spf1 mx ip4:212.12.51.133 ip6:2a00:14b0:f000:23:51:133:0:1 ip4:212.12.48.122 ip6:2a00:14b0:4200:3000:122::1 -all"
IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
dkim._domainkey IN TXT ("v=DKIM1;k=rsa;t=s;s=email;"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4wZRajtsQTrVgXco7"
"1E2T+UDRxzzXJ+0F7m1UHiPpsjGQJ4Njs4Zc6qC21FLxhUIRFURy9mZ2mGk6hnL"
"w6wi0xm0N3MOH8BG/omPfWJcH4C1XXMk6trYSjhKQb4FzNbusAFoldIdwtt/aa/"
"GJBvRD+XYulvuyqolD2SGY62tAiXqls4ik2ZiDrIv+Dglg8b8fD4kzqe/aXlUvD"
"j3hCMHmyjE8mn8lYnS0QfSnV8NlqKwOhF+iwqfrhMI2bZFCQ+td03RtQjaXw5W+"
"30NMcOv6Se4vPDl4nUIBJZ/wP3CBz1k66VShHB+un7SxoUQuW0+oDqN4QHH338b"
"2dDOoBJndwIDAQAB")
_dmarc IN TXT "v=DMARC1;p=none;sp=none;pct=100;rua=mailto:dmarc-report@hamburg.ccc.de;ruf=mailto:dmarc-report@hamburg.ccc.de;ri=86400;aspf=r;adkim=r;fo=1"
;_sip._udp IN SRV 10 0 5060 vermittlung
;_sip._tcp IN SRV 10 4 5060 vermittlung
;_sips._tcp IN SRV 10 4 5060 vermittlung
_xmpp-client._tcp IN SRV 10 0 5222 jabber
_xmpp-server._tcp IN SRV 10 0 5269 jabber
_xmpp-client._tcp.jabber IN SRV 10 0 5222 jabber
_xmpp-server._tcp.jabber IN SRV 10 0 5269 jabber
localhost IN A 127.0.0.1
dante._domainkey IN TXT ( "v=DKIM1;k=rsa;t=s;s=email;"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzMLFoEXbD/IgP6TIz2KDZudbnYtcJ4QjdWiwEP5NMvugymzDCiLaKTwNUFycKA1TvW0Y7/x0EEgqcSjfV87GU8xs6qsArgbQWBCs9gPBInbA8LBX9RN/JX30pESh+jGfdNWl7mWkkyVuONUgy/vFHWswJZ72Lg96gyBBCAR1ABC7qM8PYjoFFlRR76PfZNV8YHRBM/1ypQthtjPf"
"NKhV8MksNIXPKhcQwy6/JAVpkUunVpOrsuf2K6RFVMrVNUEtEYkpZUPtnoTYwaB0rRLg0f+InHzKZx2uv6JexyWZOwxsv8Bv1I+jdiEkQMw9kORZ81sv2mcUO+0PubeYVpvWAwIDAQAB" )
hansenerd._domainkey IN TXT ( "v=DKIM1; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlxTgmc5Fe2aQc5razQYlk3OBGNePuevJQ7YVp5j5IM0ukBLM1erTR6DLZZvoGd2puKvfjlvejR3GRY4YXeZkCJoS0ZjwpR3Tfy8PzUbPNMt5e/buHGK1v+9E9zrl4vrxgYYYlYqjl1HF1K9oE5yPI1AIeUxzZpduheJASlxr9VwIDAQAB" ) ;
; VMWare ESXi Host:
worker IN A 212.12.48.123
worker-ipmi IN A 212.12.51.136
; Proxmox Host:
chaosknoten IN A 212.12.48.126
IN AAAA 2a00:14b0:4200:3000::126:1
;chaosknoten-ipmi IN A 212.12.51.137; unused public IP
chaosknoten-ipmi IN A 44.128.124.4
; DMZ-Server:
dmz-net IN A 212.12.50.208
turing IN A 212.12.48.122
IN AAAA 2a00:14b0:4200:3000:122::1
IN MX 10 cow.hamburg.ccc.de.
turing-chaosvpn IN AAAA 2001:6f8:126f:11::3
IN A 172.31.17.1
turing-vpn IN CNAME turing-chaosvpn
turing-vpngw IN A 212.12.48.122
IN AAAA 2a00:14b0:4200:3000:122::1
turing-vzhost IN A 172.31.17.1
IN AAAA 2a00:14b0:4200:3000:122::1
IN MX 10 cow.hamburg.ccc.de.
turing-vzhost2 IN CNAME turing-vzhost
turing-router IN A 172.31.17.129
turing-new IN A 172.31.17.132
oldturing IN A 172.31.17.122
IN AAAA 2a00:14b0:f000:23::122
IN MX 10 cow.hamburg.ccc.de.
turing-intern IN CNAME oldturing
turing-intern2 IN A 172.31.17.142
IN AAAA 2a00:14b0:f000:23::122
ns IN A 212.12.48.122
IN AAAA 2a00:14b0:f000:23::53
IN MX 10 cow.hamburg.ccc.de.
ns-intern IN A 172.31.17.53
IN AAAA 2a00:14b0:f000:23::53
ns-intern2 IN A 172.31.17.153
IN AAAA 2a00:14b0:f000:23::53
vpn IN A 212.12.48.122
; ipv4 only!
www.vpn IN CNAME vpn
cvpn-dns IN A 172.31.0.5
chaosvpn-dns IN A 172.31.17.136
turing-db IN A 172.31.17.135
IN MX 10 cow.hamburg.ccc.de.
jabber IN A 212.12.48.122
IN AAAA 2a00:14b0:f000:23::26
IN MX 5 nomail.ccc.de.
IN MX 10 cow.hamburg.ccc.de.
jabber-intern IN A 172.31.17.134
IN AAAA 2a00:14b0:f000:23::26
IN MX 5 nomail.ccc.de.
IN MX 10 cow.hamburg.ccc.de.
gitlab IN A 212.12.48.122
IN AAAA 2a00:14b0:4200:3000:122::1
; ipv6 also has DNAT rules
gitlab-intern IN A 172.31.17.133
IN AAAA 2a00:14b0:f000:23::133
IN MX 5 nomail.ccc.de.
IN MX 10 cow.hamburg.ccc.de.
gitlab-cr IN CNAME gitlab
gitlab-test IN A 212.12.48.122
IN AAAA 2a00:14b0:4200:3000:122::1
; ipv6 also has DNAT rules
gitlab-test-intern IN A 172.31.17.138
IN AAAA 2a00:14b0:f000:23::138
IN MX 5 nomail.ccc.de.
IN MX 10 cow.hamburg.ccc.de.
gitlab-runner IN A 172.31.17.139
IN MX 5 nomail.ccc.de.
IN MX 10 cow.hamburg.ccc.de.
lists IN A 212.12.51.132
IN AAAA 2a00:14b0:f000:23:51:132:0:1
IN MX 10 lists
IN TXT "v=spf1 mx -all"
dkim._domainkey.lists IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvNlbGPBluV3q3eT1C6nJ"
"8KuSNAx9ycTO0urNkz4In1I2srmK8qPTfqfPU7y5kjHM1oC31+LwVNiyzeIQl"
"cdW00DMTHfzkQAjtdDXgKG5db4Dqw+2wtZfLGvBFOSfV0RspZmSDSN6ON81dk"
"lVABMMOA7Vd8wwIj0ms/gb/+AB0IQIDAQAB" )
ccchoir-intern IN A 172.31.17.156
cow IN A 212.12.51.133
IN AAAA 2a00:14b0:f000:23:51:133:0:1
IN MX 10 cow
cow-intern IN A 172.31.17.201
auth-dns IN A 212.12.48.124
auth-dns IN AAAA 2a00:14b0:4200:3000:124::1
cowtest IN MX 10 cow
IN TXT "v=spf1 mx -all"
dkim._domainkey.cowtest IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy5aAMRgFdGdG+Ewmn"
"OZb8gdCjSSoFjTxu/GW9edVWU0zsRRQT9r6oF82Cn05jEKNra3D8tE48jBaDQ"
"GOAFa4BgjxiIfP/D36CaN2JT5sno3faSBkqaKoBG0zRD2UsNj/ROfHB844BOf"
"AUt4KFMMHUfO03Gu6ps9nq/QBsrR5Iq6sMv9WiftKjh4twS4S+Wz7ZXymY3yd"
"jRLI8r48pASg6IoiByV8kR3r7OZw9dzmNgbTCOEyKaicB4KJDjgJvQut8af8g"
"sYQYTCSPVqkwb5Y+yJNKhQmsYBwUX23x5Yng2gDBY/pjGeWl28SxdGhm8C23a"
"0wVCz4kQGNvcULnrzifwIDAQAB")
_autodiscover._tcp.cowtest IN SRV 0 1 443 cow
_caldavs._tcp.cowtest IN SRV 0 1 443 cow
_caldavs._tcp.cowtest IN TXT "path=/SOGo/dav/"
_carddavs._tcp.cowtest IN SRV 0 1 443 cow
_carddavs._tcp.cowtest IN TXT "path=/SOGo/dav/"
_imap._tcp.cowtest IN SRV 0 1 143 cow
_imaps._tcp.cowtest IN SRV 0 1 993 cow
_pop3._tcp.cowtest IN SRV 0 1 110 cow
_pop3s._tcp.cowtest IN SRV 0 1 995 cow
_sieve._tcp.cowtest IN SRV 0 1 4190 cow
_smtps._tcp.cowtest IN SRV 0 1 465 cow
_submission._tcp.cowtest IN SRV 0 1 587 cow
mail IN A 212.12.48.122
IN MX 10 cow.hamburg.ccc.de.
local-mail IN A 172.31.17.201 ; make hosts with relayhost=local-mail work
;local-mail IN A 212.12.48.122
; IN AAAA 2a00:14b0:f000:23::122
; IN MX 10 cow.hamburg.ccc.de.
jitsi-old IN A 49.12.8.103
IN AAAA 2a01:4f8:c17:392f::1
jitsi IN A 212.12.51.139
IN AAAA 2a00:14b0:f000:23:51:139:0:1
mumble IN A 212.12.51.141
IN AAAA 2a00:14b0:f000:23:51:141:0:1
id IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
keycloak-admin IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
invite IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
id IN MX 10 cow
IN TXT "v=spf1 mx -all"
dkim._domainkey.id IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6wcQjo7qgb1CMOv5"
"6odc7Ef8rocu3bv3JKBIqL/msuoEFOiXGpPZrwcWQJc7lS5tLTxR5XuP02D3D"
"Vif+8D3R8YzLsNMdLZ5moQacdJK2OFFiet2G3kWjBdKH1em9FwMa0MBWlk6LR"
"YWRgsByFBMNIItwkBmqmNrmrPRneRprLYQCf34McDmkzpzUpFdF5sgmbmDpdX"
"genmqXgBopvmnTeXa+kQnoVgrMyWE41zdWaXrDAtoYye3e31j0Nxhnfg+I7vO"
"XPfmatTH7yieDaLG+3kHjbA3WFyAkb/ZAqZaFM8k6cQJEZb7jDzdKlm1fuPrk"
"YUrfZ1V3pglzdm0QbM4wIDAQAB")
aes-intern IN A 172.31.17.145
tickets-intern IN A 172.31.17.148
grafana-intern IN A 172.31.17.145
loki-intern IN A 172.31.17.145
eh22-netbox-intern IN A 172.31.17.166
sunders-intern IN A 172.31.17.170
renovate-intern IN A 172.31.17.171
netbox-intern IN A 172.31.17.167
matrix-intern IN A 172.31.17.150
; have this for compatibility (like references in CI)
public-web-static-intern IN AAAA 2a00:14b0:42:102::17
pretalx-intern IN A 172.31.17.157
zammad-intern IN A 172.31.17.152
nixos-template-intern IN A 172.31.17.200
git-intern IN A 172.31.17.154
forgejo-actions-runner-intern IN A 172.31.17.155
nix-box-june-intern IN A 172.31.17.158
woodpecker-intern IN A 172.31.17.160
mjolnir-intern IN A 172.31.17.161
mjolnir-ng-intern IN A 172.31.17.169
penpot-intern IN A 172.31.17.162
penpot-ng-intern IN A 172.31.17.168
hydra-intern IN A 172.31.17.163
forgejo-runner-builder IN A 172.31.17.202
renovate-forgejo IN A 172.31.17.163
ansible-testing-intern IN A 172.31.17.164
ntfy-intern IN A 172.31.17.149
status IN AAAA 2a00:14b0:f001:100::fd
status IN A 212.12.50.253
design IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
IN MX 10 cow
IN TXT "v=spf1 mx -all"
dkim._domainkey.design IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtod7q+mkIcZFe512v"
"jzXF0UfGmo8R6UxeJ/MCi/qjjN+sSqn4dohQx3NBhK3UF9/8Ze7FT5znTxeWj"
"Ks+le/dSS4CKxjSFAV1FjcaAqrUaxO1V8+fxcUSVzAQZXUVyNqqv+SAFUVJSE"
"3zZIuJim4F1HVVLvwbLJZ450ns8KQ7n3RNY2+mqQoxo8xmMg2QFOoQKlSYspC"
"TRTV4LM/n5Jm7Mm1F5DwJ+7Ie9s/WvTWKKKUExmoa5SNheGcfybC+sqnJu7L0"
"F5dWFwk0zzQDcVSY2m9qFWPEuO2fZmiB4IoG4yXkooSY2sH9Z8eX2+6i3k/ub"
"qx58Mav6VlkTxsOAdbbQIDAQAB")
hydra IN A 212.12.48.125
regio-stage IN A 212.12.51.142
AAAA 2a00:14b0:f000:23:51:142:0:1
public-reverse-proxy IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
public-reverse-proxy-intern IN A 172.31.17.140
router IN A 212.12.48.123
rproxy IN A 212.12.48.122
IN AAAA 2a00:14b0:4200:3000:122::1
IN MX 10 cow.hamburg.ccc.de.
rproxy-intern IN A 172.31.17.180
IN AAAA 2a00:14b0:f000:23::80
IN MX 10 cow.hamburg.ccc.de.
bildungsurlaub IN CNAME rproxy
doku IN CNAME rproxy
test IN CNAME rproxy
www.test IN CNAME rproxy
eh2003 IN CNAME public-reverse-proxy
www.eh2003 IN CNAME public-reverse-proxy
easterhegg2003 IN CNAME public-reverse-proxy
www.easterhegg2003 IN CNAME public-reverse-proxy
eh2005 IN CNAME public-reverse-proxy
www.eh2005 IN CNAME public-reverse-proxy
easterhegg2005 IN CNAME public-reverse-proxy
www.easterhegg2005 IN CNAME public-reverse-proxy
eh2007 IN CNAME public-reverse-proxy
www.eh2007 IN CNAME public-reverse-proxy
eh07 IN CNAME public-reverse-proxy
www.eh07 IN CNAME public-reverse-proxy
easterhegg2007 IN CNAME public-reverse-proxy
www.easterhegg2007 IN CNAME public-reverse-proxy
eh2009 IN CNAME public-reverse-proxy
www.eh2009 IN CNAME public-reverse-proxy
eh09 IN CNAME public-reverse-proxy
www.eh09 IN CNAME public-reverse-proxy
easterhegg2009 IN CNAME public-reverse-proxy
www.easterhegg2009 IN CNAME public-reverse-proxy
eh2011 IN CNAME public-reverse-proxy
www.eh2011 IN CNAME public-reverse-proxy
eh11 IN CNAME public-reverse-proxy
www.eh11 IN CNAME public-reverse-proxy
easterhegg2011 IN CNAME public-reverse-proxy
www.easterhegg2011 IN CNAME public-reverse-proxy
eh20 IN CNAME public-reverse-proxy
oldwiki IN CNAME rproxy
nonpublic.wiki IN CNAME rproxy
www.nonpublic.wiki IN CNAME rproxy
planet IN CNAME rproxy
www.planet IN CNAME rproxy
chaos-macht-schule IN CNAME rproxy
www.chaos-macht-schule IN CNAME rproxy
branding-resources IN CNAME public-reverse-proxy
element IN CNAME public-reverse-proxy
matrix IN CNAME public-reverse-proxy
mas IN CNAME public-reverse-proxy
element-admin IN CNAME public-reverse-proxy
netbox IN CNAME public-reverse-proxy
woodpecker IN CNAME public-reverse-proxy
onlyoffice IN CNAME public-reverse-proxy
pad IN CNAME public-reverse-proxy
pretalx IN CNAME public-reverse-proxy
spaceapi IN CNAME public-reverse-proxy
staging IN CNAME public-reverse-proxy
wiki IN CNAME public-reverse-proxy
www IN CNAME public-reverse-proxy
ntfy IN CNAME public-reverse-proxy
sunders IN CNAME public-reverse-proxy
spaceapiccc IN CNAME public-reverse-proxy
acmedns IN CNAME public-reverse-proxy
cpuccc IN CNAME public-reverse-proxy
did IN CNAME public-reverse-proxy
auth.acmedns IN NS acmedns.hosts.hamburg.ccc.de.
git IN A 212.12.51.136
IN AAAA 2a00:14b0:f000:23:51:136::1
git IN MX 10 cow
IN TXT "v=spf1 mx -all"
dkim._domainkey.git IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsUGmKDns/qokxyz2u"
"lcyKIcs/S+zf+0wHCfhSOK4lLnws8U/wIny5FAW3zM/7TliqIftzZ2B0Cz8W6"
"YvmtgLyKqBzvCSG0dNYyy9TVeGM4HyrmLBbUkQdGGQwmoJTnCe9gT9z6GO9k2"
"uFfHJsk/iffU75x9iXqLXPGL/CGmLKuBmkYGda2rQ9ATUIpQhIxnerZvVc3RA"
"qwD8/pYvMLOqvCStVHM5Zi+j1Jr0BC8mxU8pIY6rfOVt+h/V3wh0F6dL0z9nw"
"ZhDE53K8frGp2CC5dW/A37FrfMJv+ODw2tX8EdyL2hDBshBQ4r8WiYJTtIMPL"
"50A9UzZndyiLAHoeLrZQIDAQAB")
hackertours IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
MX 10 cow.hamburg.ccc.de.
IN TXT "v=spf1 mx -all"
dkim._domainkey.hackertours IN TXT ("v=DKIM1;k=rsa;t=s;s=email;"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnG5J6rMvbOy7mmV4mKfN"
"7SSrtxKP/jI0XWwO2njO3jM6DkAGDpmRH69B5sOW/53/yg7MMdGytGfNAk61YJknP+"
"NGZNSk7F2p2aB+zoksLVcIKdY1YwicYS7l6Q7qWBfv8ctmGTzcwO0UEAizD6xdINN8"
"YmhHorgnxR3HbHeUmaxIe4WM2wWRYiD+9tpY1f0O/NEEoHxmFecRhU9SVmuhLgiOyF"
"AWpPYBMOsKEHoKREENc+4VBj6H2GYTKIs+dYKDNEmVVdnRkgtAVO3FrjCkedBJ7RbR"
"RNHIqdt9u8AF+Vrs1Oq72ZQrNVR0ezEyBScJaxy5JphvBWkMSYSoDpvXLwIDAQAB")
staging.hackertours IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
grafana IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
tickets IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
zammad IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
loki IN CNAME grafana.hosts
metrics IN CNAME grafana.hosts
; attraktor openvz vm
attraktor IN A 172.31.17.14
IN AAAA 2a00:14b0:f000:23:48::14
IN MX 10 cow.hamburg.ccc.de.
attraktor-intern IN A 172.31.17.14
IN AAAA 2a00:14b0:f000:23:48::14
IN MX 10 cow.hamburg.ccc.de.
attraktor-intern2 IN A 172.31.17.137
IN MX 10 cow.hamburg.ccc.de.
erfafoo IN A 212.12.51.138
IN AAAA 2a00:14b0:f000:23:50:210::1
IN MX 10 cow.hamburg.ccc.de.
local IN CNAME erfafoo
lokal IN CNAME erfafoo
; fuer vollkorn:
;webfoo IN A 212.12.51.138
; IN AAAA 2a00:14b0:4200:3380:138::1
; IN MX 5 nomail.ccc.de.
; IN MX 10 cow.hamburg.ccc.de.
; chaos macht schule server
cms IN A 212.12.51.131
www.cms IN CNAME cms
schule IN CNAME cms
www.schule IN CNAME cms
; Firewall:
ovpn IN A 212.12.48.122
fwhh-v6 IN A 212.12.50.214
; (irc) nat ip
chaoscafe IN A 212.12.50.209
cloud IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
cloud IN MX 10 cow
IN TXT "v=spf1 mx -all"
dkim._domainkey.cloud IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvr7XIfOFt99cdEKeP"
"Qhz7miwN2tIZF+imJ3p/r/kam0TKN5pbRMDK0HH4Jl8ksBDozXrLo+U71TX+m"
"XBBeNca4QSfmJh6cAesibf4v/6ssGBdQR7efc2b3dFvZS5/qdS7oLYqYbGpuv"
"aUB0gzhatrAR0i6HdtXrsJxGemda4WvZXaPLPwcWByHLZsHQUbaD3doZOJGXI"
"7+HQs9BuDo4PKQs1/mE5BEWQ0ISEKZ4bk1p8U0ZsfcdQ8o9X53Tj+JxvJHgxi"
"h7yHMr4y9hCOAkvZTFZ/Z/r3KU+N+t9NrVYm995KEernSxE3MXYIsdaFKBDvX"
"Xq837yzJmv7D9S9We3YwIDAQAB")
; Mail: hosts.hamburg.ccc.de
hosts IN MX 10 cow
IN TXT "v=spf1 mx -all"
dkim._domainkey.hosts IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyFnskyCW0420D+5PA"
"L6cKmPoZR2nrPaMPiJl0+DbDhnsLdXtt3cKZkAin2GYQRvZJvlcJ3JFkFljmQ"
"sZk7BJ02rV7S79DgeFhKMzjE0p/GaMBSdzDZJQEVkKhEK+KBbSfaZ0FM/4Qh0"
"beI26kBgbR6bc+SGdB7+LB2JLPxr5ipP0gJ7RtE+QWIoDaU0e9dSYhucJ4A4k"
"RMs3ECvcCVgsyhRPJahs8tzbKjhnp956ru6Jda3Yo/ubhy4AztP/7ZQayCv/W"
"06PfZNo/i2711F98L2ATQaDsOCKWhpskyrCRcR1nTWNSL7qYhOPD1hZonsd5I"
"f5WwrR4meWD3wmXbX29wIDAQAB")
; Mail: hosts-external.hamburg.ccc.de
external-hosts IN MX 10 cow
IN TXT "v=spf1 mx -all"
dkim._domainkey.external-hosts IN TXT ("v=DKIM1;k=rsa;t=s;s=email;p="
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkfdJvL7Tpdw6JLkuU"
"nOLwtxojWZ5Xq6rLDK3EzrX2Tyeq03nqgQuI3ruHgodHb1D7sieU61x30+g7y"
"8HnjrN1bfH1iQJUzEOCgOWHwQEbLdbQxcazmbEdowBuA0VuYrXL2tcCFJwdcZ"
"MKZAyuba7leeRgSngZJnesT7aaGvZSuzLa1/KaW4MRbOOmy5LlukBC3EZBpWn"
"/dL73spDajlDx4VRMUpZQq/PAoPPwCFdw/HNnzxBYBIdVloeJx91qBRaNyUIb"
"C/to8YSDVi2aMHiXhTBfoNd1VcxjlBYWqEZtdUhecUjwmbbAO4f0ECO4bs0Yz"
"d/EgJB70ry1quA0MqgZQIDAQAB")
; for thw:
orga IN A 212.12.51.130
IN MX 23 nomail.ccc.de.
IN MX 42 orga
shellhost IN A 212.12.51.140
IN AAAA 2a00:14b0:f000:23:51:140:0:1
IN MX 5 nomail.ccc.de.
IN MX 10 cow.hamburg.ccc.de.
shells IN CNAME shellhost
; chaos vpn-hub on haegars hetzner machine
vpnhub1 IN A 136.243.3.60
IN MX 5 nomail.ccc.de.
IN MX 10 mail.sdinet.de.
vpnhub1.ipv4 IN A 136.243.3.60
vpnhub1-intern IN A 172.31.2.1
; special
ccchh IN MX 5 nomail.ccc.de.
IN MX 10 cow.hamburg.ccc.de.
office IN CNAME office.hh.ccc.de.
officemail IN CNAME officemail.hh.ccc.de.
template IN A 172.31.17.199
IN AAAA 2a00:14b0:f000:23::199
IN MX 10 cow.hamburg.ccc.de.
irc IN A 176.56.239.136
IN AAAA 2a00:d880:8:1::1aa
IN MX 5 nomail.ccc.de.
;anonymizer IN A 192.162.102.224
; IN MX 5 nomail.ccc.de.
; IN MX 10 anonymizer
;mixminion IN A 192.162.102.225
; IN MX 5 nomail.ccc.de.
; IN MX 10 mixminion
cryptoparty IN CNAME public-reverse-proxy
staging.cryptoparty IN CNAME public-reverse-proxy
cryptoparty-intern IN A 172.31.17.213
; Freifunk Gateways
freifunk-gw01 IN CNAME gw01.hamburg.freifunk.net.
freifunk-gw02 IN CNAME gw02.hamburg.freifunk.net.
freifunk-gw03 IN CNAME gw03.hamburg.freifunk.net.
freifunk-gw04 IN CNAME gw04.hamburg.freifunk.net.
freifunk-gw05 IN CNAME gw05.hamburg.freifunk.net.
freifunk-gw06 IN CNAME gw06.hamburg.freifunk.net.
freifunk-gw07 IN CNAME gw07.hamburg.freifunk.net.
freifunk-gw08 IN CNAME gw08.hamburg.freifunk.net.
freifunk-gw09 IN CNAME gw09.hamburg.freifunk.net.
freifunk-gw10 IN CNAME gw10.hamburg.freifunk.net.
freifunk-gw11 IN CNAME gw11.hamburg.freifunk.net.
freifunk-gw12 IN CNAME gw12.hamburg.freifunk.net.
freifunk-gw13 IN CNAME gw13.hamburg.freifunk.net.
freifunk-gw14 IN CNAME gw14.hamburg.freifunk.net.
freifunk-gw15 IN CNAME gw15.hamburg.freifunk.net.
freifunk-gw16 IN CNAME gw16.hamburg.freifunk.net.
freifunk-gw17 IN CNAME gw17.hamburg.freifunk.net.
freifunk-gw18 IN CNAME gw18.hamburg.freifunk.net.
freifunk-gw19 IN CNAME gw19.hamburg.freifunk.net.
freifunk-gw20 IN CNAME gw20.hamburg.freifunk.net.
fftest IN A 212.12.51.135
IN AAAA 2a00:14b0:f000:23::135
; Shellbordell
colossus IN A 212.12.51.133
; generic aliases
LAN-212-12-50-208.dmz-net IN A 212.12.50.208
ip208 IN A 212.12.50.208
ip209 IN A 212.12.50.209
ip210 IN A 212.12.50.210
ip211 IN A 212.12.50.211
ip212 IN A 212.12.50.212
ip213 IN A 212.12.50.213
ip214 IN A 212.12.50.214
ENDE-212-12-50-215.dmz-broadcast IN A 212.12.50.215
ip215 IN A 212.12.50.215
; ChaosVPN
hack IN NS cvpn-dns.hack
cvpn-dns.hack IN A 172.31.0.5
; IPv4 Reverse DNS
122.48.12.212.rdns IN PTR turing.hamburg.ccc.de.
123.48.12.212.rdns IN PTR ip-48-123.hamburg.ccc.de.
124.48.12.212.rdns IN PTR ip-48-124.hamburg.ccc.de.
125.48.12.212.rdns IN PTR public-reverse-proxy.hamburg.ccc.de.
126.48.12.212.rdns IN PTR chaosknoten.hamburg.ccc.de.
208.50.12.212.rdns IN PTR net-12-50-212.hamburg.ccc.de.
209.50.12.212.rdns IN PTR turing.hamburg.ccc.de.
;210.50.12.212.rdns IN PTR erfafoo.hamburg.ccc.de.
211.50.12.212.rdns IN PTR ip-50-12-211.hamburg.ccc.de.
213.50.12.212.rdns IN PTR cryptoparty.hamburg.ccc.de.
214.50.12.212.rdns IN PTR ip-50-12-214.hamburg.ccc.de.
215.50.12.212.rdns IN PTR broadcast-12-15-212.hamburg.ccc.de.
128.51.12.212.rdns IN PTR net-12-51-128.hamburg.ccc.de.
129.51.12.212.rdns IN PTR ip-51-129.hamburg.ccc.de.
130.51.12.212.rdns IN PTR ip-51-130.hamburg.ccc.de.
131.51.12.212.rdns IN PTR cms.hamburg.ccc.de.
132.51.12.212.rdns IN PTR lists.hamburg.ccc.de.
133.51.12.212.rdns IN PTR cow.hamburg.ccc.de.
134.51.12.212.rdns IN PTR srv01.hamburg.freifunk.net.
135.51.12.212.rdns IN PTR fftest.hamburg.ccc.de.
136.51.12.212.rdns IN PTR git.hamburg.ccc.de.
137.51.12.212.rdns IN PTR ip-51-137.hamburg.ccc.de.
138.51.12.212.rdns IN PTR erfafoo.hamburg.ccc.de.
139.51.12.212.rdns IN PTR jitsi.hamburg.ccc.de.
140.51.12.212.rdns IN PTR ip-51-140.hamburg.ccc.de.
141.51.12.212.rdns IN PTR mumble.hamburg.ccc.de.
142.51.12.212.rdns IN PTR regio-stage.hamburg.ccc.de.
143.51.12.212.rdns IN PTR broadcast-12-15-128.hamburg.ccc.de.
; hosts.hamburg.ccc.de
wiki.hosts IN AAAA 2a00:14b0:42:102::2
cloud.hosts IN AAAA 2a00:14b0:42:102::3
eh22-wiki.hosts IN AAAA 2a00:14b0:42:102::4
pad.hosts IN AAAA 2a00:14b0:42:102::5
keycloak.hosts IN AAAA 2a00:14b0:42:102::6
onlyoffice.hosts IN AAAA 2a00:14b0:42:102::7
renovate.hosts IN AAAA 2a00:14b0:42:102::8
sunders.hosts IN AAAA 2a00:14b0:42:102::9
mjolnir.hosts IN AAAA 2a00:14b0:42:102::a
netbox.hosts IN AAAA 2a00:14b0:42:102::b
tickets.hosts IN AAAA 2a00:14b0:42:102::c
zammad.hosts IN AAAA 2a00:14b0:42:102::d
grafana.hosts IN AAAA 2a00:14b0:42:102::e
ccchoir.hosts IN AAAA 2a00:14b0:42:102::f
pretalx.hosts IN AAAA 2a00:14b0:42:102::10
ntfy.hosts IN AAAA 2a00:14b0:42:102::11
spaceapiccc.hosts IN AAAA 2a00:14b0:42:102::12
acmedns.hosts IN AAAA 2a00:14b0:42:102::13
www2.hosts IN AAAA 2a00:14b0:42:102::14
www3.hosts IN AAAA 2a00:14b0:42:102::15
diday-staging-runner.hosts IN AAAA 2a00:14b0:42:102::16
public-web-static.hosts IN AAAA 2a00:14b0:42:102::17
forgejo-actions-runner.hosts IN AAAA 2a00:14b0:42:102::18
; acme-challenges
_acme-challenge.sunders CNAME a5ee8a99-3cdf-4212-972e-c0b6fda1242f.auth.acmedns
_acme-challenge.pretalx CNAME 295a66d4-1d71-49f3-a80a-1f7527ec9cca.auth.acmedns

73
resources/chaosknoten/auth-dns/zones/hh.ccc.de.zone Normal file
View file

@ -0,0 +1,73 @@
$TTL 7200
; es wird jetzt der hostname mail.hamburg.ccc.de nicht mehr
; verwendet, sondern statt dessen local-mail.hamburg.ccc.de
; die popeye fuehlt sich immer noch unter mail.hamburg.ccc.de
; angesprochen, und nimmt daher keine mails mit absender-adressen
; die sie nicht kennt an.
; ich hoffe diese aenderung arbeitet um diesen bug herum.
; - haegar 2001.11.14
@ IN SOA auth-dns.hamburg.ccc.de. noc.hamburg.ccc.de. (
2024012601
10800
3600
3600000
86400 )
IN NS ns.hamburg.ccc.de.
IN NS ns.vie.ccc.de.
IN MX 5 nomail.ccc.de.
; IN MX 10 local-mail.hamburg.ccc.de.
IN MX 23 nomail2.ccc.de.
IN MX 42 nomail3.ccc.de.
IN A 212.12.48.125
IN AAAA 2a00:14b0:4200:3000:125::1
localhost IN A 127.0.0.1
; DMZ-Server:
dmz-net IN A 212.12.50.208
turing IN CNAME turing.hamburg.ccc.de.
www IN CNAME www.hamburg.ccc.de.
LAN-212-12-51-128 IN A 212.12.51.128
gate IN A 212.12.51.129
END-212-12-51-143 IN A 212.12.51.143
; convience and email
backup IN A 172.31.16.3
IN AAAA 2001:6f8:126f:1:16:20:0:3
; IN MX 5 nomail.ccc.de.
IN MX 10 local-mail.hamburg.ccc.de.
officemail IN A 172.31.17.131
IN MX 5 nomail.ccc.de.
; IN MX 10 local-mail.hamburg.ccc.de.
IN MX 23 nomail2.ccc.de.
IN MX 42 nomail3.ccc.de.
orga IN CNAME orga.hamburg.ccc.de.
; Die alte World, aka popeye.crew-gmbh.de
; Legacy-Names, do not delete
world IN A 192.76.134.7
IN MX 10 world
popeye IN A 192.76.134.7
IN MX 10 world
uucp IN A 192.76.134.7
; ChaosVPN
hack IN NS cvpn-dns.hack
cvpn-dns.hack IN A 172.31.0.5
; tmp test
merz.leck.eier IN TXT "kann er mal"

12
resources/chaosknoten/auth-dns/zones/localhost.zone Normal file
View file

@ -0,0 +1,12 @@
$ORIGIN localhost.
$TTL 7200
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1

61
resources/chaosknoten/auth-dns/zones/old-old/ccc.zone Normal file
View file

@ -0,0 +1,61 @@
$ORIGIN ccc.
$TTL 7200
@ IN SOA turing.hamburg.ccc.de. haegar.ccc.de. (
2002101507
10800
3600
3600000
86400 )
IN NS turing.hamburg.ccc.de.
localhost IN A 127.0.0.1
www IN A 195.21.255.248
hh IN NS ccchh.hh.ccc.
IN NS turing.hamburg.ccc.de.
ccchh.hh IN A 192.168.16.2
vpn.hh IN NS turing.hamburg.ccc.de.
; haegar:
sdinet IN NS ns.sdinet.ccc.
ns.sdinet IN A 192.168.18.41
; falk:
valhalla IN NS thor.valhalla.ccc.
thor.valhalla IN A 192.168.21.1
; jeedi:
ghetto IN NS semaphore.ghetto.ccc.
semaphore.ghetto IN A 192.168.20.2
; count
flatline IN NS aleph.flatline.de.
flatline IN NS pulse.flatline.de.
; thalunil (Alex Bihlmaier)
core.kallisti IN A 194.122.183.51
fnord IN NS core.kallisti
kallisti IN NS core.kallisti
; sz
vogsphere IN A 212.12.48.51
datenknoten IN A 212.12.48.49
znet IN NS datenknoten.ccc.
sz IN NS datenknoten.ccc.
chaos IN NS datenknoten.ccc.
funk IN NS datenknoten.ccc.
presse IN NS datenknoten.ccc.
weltregierung IN NS datenknoten.ccc.
; migri
migri IN CNAME migri.homeip.net.
; Enno
enno IN CNAME home.verbrennung.org.
; Dennis
desc IN NS freya.ainex.net.

37
resources/chaosknoten/auth-dns/zones/old-old/vpn.hh.ccc.zone Normal file
View file

@ -0,0 +1,37 @@
$ORIGIN vpn.hh.ccc.
$TTL 7200
@ IN SOA vpn.hh.ccc. haegar.ccc.de. (
2002101502
10800
3600
3600000
86400 )
IN NS turing.hamburg.ccc.de.
localhost IN A 127.0.0.1
network IN A 192.168.0.64
fwhh IN A 192.168.0.65
worf IN A 192.168.0.66
sdinet-cut IN A 192.168.0.67
migri IN A 192.168.0.68
cemil IN A 192.168.0.69
fw IN A 192.168.0.70
fw-server IN A 192.168.0.71
broadcast IN A 192.168.0.127
net.znet IN A 192.168.23.0
gate.znet IN A 192.168.23.23
bc.znet IN A 192.168.23.255
net.no-maam IN A 192.168.24.0
gate.no-maam IN A 192.168.24.1
bc.no-maam IN A 192.168.24.255
net.loom IN A 192.168.33.0
gate.loom IN A 192.168.33.1
bc.loom IN A 192.168.33.255

2
roles/auth_dns/defaults/main.yaml Normal file
View file

@ -0,0 +1,2 @@
---
knot__remotes: [ ]

19
roles/auth_dns/handlers/main.yaml Normal file
View file

@ -0,0 +1,19 @@
---
- name: restart knot
tags: [ auth-dns ]
become: true
ansible.builtin.systemd:
name: knot.service
state: restarted
- name: reload knot zones
tags: [ auth-dns ]
become: true
changed_when: true
ansible.builtin.command: "knotc zone-reload"
- name: netplan apply
tags: [ auth-dns ]
become: true
changed_when: true
ansible.builtin.command: "netplan apply"

59
roles/auth_dns/meta/argument_specs.yaml Normal file
View file

@ -0,0 +1,59 @@
---
argument_specs:
main:
options:
knot__dnssec_key_id:
description: The id of the TSIG key which knot will use for zone transfer signing
type: str
required: true
knot__dnssec_key_secret:
description: The secret value of the TSIG key which knot will use for zone transfer signing
type: str
required: true
knot__remotes:
description:
- A list of definitions for remote nameservers that are used for different purposes
- See https://www.knot-dns.cz/docs/latest/html/reference.html#remote-section for details
type: list
elements: dict
required: false
options:
id:
type: str
required: true
address:
type: list
required: true
elements: str
knot__catalog_zones:
description: A list of catalog zones that will be served by knot
type: list
elements: dict
required: true
options:
domain:
type: str
required: true
notify_targets:
type: list
elements: str
required: false
knot__zones:
description: A list of user zones that will be served by knot
type: list
elements: dict
required: true
options:
domain:
type: str
required: true
notify_targets:
type: list
elements: str
required: false
catalog_member:
type: str
required: false
content:
type: str
required: true

11
roles/auth_dns/tasks/01-install.yaml Normal file
View file

@ -0,0 +1,11 @@
---
- name: Install knot
tags: [ auth-dns ]
become: true
ansible.builtin.package:
name:
- knot
- knot-exporter
- knot-dnssecutils
- knot-dnsutils
- knot-host

53
roles/auth_dns/tasks/02-configure.yaml Normal file
View file

@ -0,0 +1,53 @@
---
- name: Ensure required directories exist
tags: [ auth-dns ]
become: true
loop: [ "/etc/knot", "/etc/knot/zones" ]
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: knot
group: knot
mode: u=rwx,g=rx,o=
- name: Deploy knot configuration file
tags: [ auth-dns ]
become: true
notify: restart knot
ansible.builtin.template:
src: knot.conf.j2
dest: /etc/knot/knot.conf
owner: knot
group: knot
mode: u=rw,g=r,o=
- name: Deploy configured zones
tags: [ auth-dns ]
become: true
notify: reload knot zones
loop: "{{ knot__zones }}"
loop_control:
label: "{{ item.domain }}"
vars:
zone_content: "{{ item.content }}"
ansible.builtin.template:
src: zone.j2
dest: "/etc/knot/zones/{{ item.domain }}zone"
owner: knot
group: knot
mode: u=rw,g=r
# this seems weird but hear me out:
# if we don't disable SLAAC, the node automatically gets an address based on IPv6 Router-Advertisements
# this results in outgoing zone transfers failing because knot will prefer to use the dynamic address over the statically configured one.
# so because we are configuring a DNS Nameserver where known IP-Addresses are actually important for ACL reasons, SLAAC is disabled
- name: Disable IPv6 SLAAC
tags: [ auth-dns ]
become: true
notify: netplan apply
ansible.builtin.template:
src: "netplan-disable-ra.yaml"
dest: "/etc/netplan/10-disable-ra.yaml"
owner: root
group: root
mode: u=rw,g=,o=

3
roles/auth_dns/tasks/main.yaml Normal file
View file

@ -0,0 +1,3 @@
---
- ansible.builtin.import_tasks: 01-install.yaml # noqa: name[missing]
- ansible.builtin.import_tasks: 02-configure.yaml # noqa: name[missing]

95
roles/auth_dns/templates/knot.conf.j2 Normal file
View file

@ -0,0 +1,95 @@
# {{ ansible_managed }}
# See knot.conf(5) or refer to the server documentation.
server:
rundir: "/run/knot"
user: knot:knot
automatic-acl: on
listen: [ "0.0.0.0@53", "::@53" ]
log:
- target: syslog
any: info
database:
storage: "/var/lib/knot"
key:
- id: {{ knot__dnssec_key_id }}
algorithm: hmac-sha512
secret: "{{ knot__dnssec_key_secret }}"
remote:
# static, external and public remote used for DNSSEC KSK checking
- id: quad9
address: "2620:fe::fe"
{% if knot__remotes -%}
# additional remotes used in the config
{% for i_remote in knot__remotes -%}
- id: "{{ i_remote.id }}"
address: [ {% for i_addr in i_remote.address %}"{{ i_addr}}"{% if not loop.last %},{% endif %} {% endfor %} ]
{% endfor %}
{% endif %}
# define how the presence of parent KSK keys is checked
# in this case, we just ask quad9 which is an open resolver
submission:
- id: default
parent: quad9
parent-delay: 1h
# define how dnssec signing is done
# in this case we don't do anything special but teach knot how to check for KSK presence
policy:
- id: default
ksk-submission: default
nsec3: true
nsec3-salt-length: 0
# define default settings that apply to all zones
template:
# template for general-purpose user zones
- id: default
storage: "/etc/knot/zones"
file: "%s.zone"
semantic-checks: on
zonefile-sync: -1
zonefile-load: difference-no-serial
serial-policy: dateserial
journal-content: all
default-ttl: 7200
dnssec-signing: on
dnssec-policy: default
{# catalog-role: member #}
{# catalog-zone: hamburg.ccc.de.catalog. #}
# template for automatically created special zones
- id: catalog
catalog-role: generate
dnssec-signing: on
dnssec-policy: default
# define zones on this server
# See https://www.knot-dns.cz/docs/3.4/html/reference.html#zone-section
zone:
# catalog zones
{% for i_zone in knot__catalog_zones -%}
- domain: "{{ i_zone.domain }}"
template: catalog
notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
{% endfor %}
# normal zones
{% for i_zone in knot__zones -%}
- domain: "{{ i_zone.domain }}"
template: default
notify: [ {% for i_notif in i_zone.notify_targets | default([]) %}"{{ i_notif }}"{% if not loop.last %}, {% endif %}{% endfor %} ]
{% if i_zone.catalog_member | default(False) -%}
catalog-role: member
catalog-zone: "{{ i_zone.catalog_member }}"
{% endif %}
{% endfor %}
{# - domain: "onsite.eurofurence.org" #}

14
roles/auth_dns/templates/netplan-disable-ra.yaml Normal file
View file

@ -0,0 +1,14 @@
# {{ ansible_managed }}
network:
ethernets:
{%- for i_iface_name in ansible_interfaces -%}
{%- if i_iface_name != "lo" -%}
{%- set i_iface = ansible_facts[i_iface_name] %}
{{ i_iface_name }}:
match:
macaddress: "{{ i_iface.macaddress }}"
accept-ra: false
{% endif %}
{% endfor %}

4
roles/auth_dns/templates/zone.j2 Normal file
View file

@ -0,0 +1,4 @@
; {{ ansible_managed }}
{{ zone_content }}