New NSD class and associated playbooks/inventory

inventory/group_vars/nsd

+---
+firewall_allowed_tcp_ports:
+  - 53
+
+firewall_allowed_udp_ports:
+  - 53
+
+firewall_additional_rules:
+  - "iptables -A INPUT -i eth1 -j ACCEPT"
+
+nsd_tsig_keys:
+  - tsig_keyname: sec_key
+    tsig_secret: "{{ nsd_tsig_keys_vault.sec_key }}"
+    tsig_algorithm: hmac-sha256
+  - tsig_keyname: 20160920.gnome.org
+    tsig_secret: "{{ nsd_tsig_keys_vault.ext_key }}"
+    tsig_algorithm: hmac-sha256

inventory/host_vars/nsd01.gnome.org

+---
+masters: &zone_default
+  masters:
+    - ip: 130.89.149.216
+
+abisource_zones:
+  - zone_name: abisource.com
+    zone_filename: abisource.com
+    <<: *zone_default
+  - zone_name: abisource.org
+    zone_filename: abisource.org
+    <<: *zone_default
+  - zone_name: abisuite.com
+    zone_filename: abisuite.com
+    <<: *zone_default
+  - zone_name: abisuite.org
+    zone_filename: abisuite.org
+    <<: *zone_default
+  - zone_name: abiword.com
+    zone_filename: abiword.com
+    <<: *zone_default
+  - zone_name: abiword.org
+    zone_filename: abiword.org
+    <<: *zone_default

inventory/ral3_rhel8

@@ -19,3 +19,7 @@ ceph03.gnome.org
 
 [bastions]
 bastion01.gnome.org
+
+[nsd]
+nsd01.gnome.org is_master=true
+nsd02.gnome.org is_slave=true

playbooks/ral3_rhel8.yml

@@ -27,3 +27,10 @@
   roles:
    - squid
    - node-exporter
+
+- hosts: nsd
+  gather_facts: true
+  remote_user: root
+  roles:
+   - nsd
+   - node-exporter

roles/nsd/defaults/main.yml

+---
+nsd_version: 4
+nsd_service_name: "nsd"
+nsd_pkg_name: "nsd"
+nsd_control_program: "/usr/sbin/nsd-control"
+nsd_control_setup_program: "/usr/sbin/nsd-control-setup"
+nsd_config_dir: "/etc/nsd"
+nsd_zones_config_file: "/etc/nsd/zones.conf"
+nsd_master_zones_dir: "/var/lib/nsd/master"
+nsd_slave_zones_dir: "/var/lib/nsd/slave"
+nsd_log_dir: "/var/log/nsd"
+
+nsd_server_config:
+  do-ip4: "yes"
+  do-ip6: "yes"
+  logfile: "{{ nsd_log_dir }}/nsd.log"
+  zonesdir: "{{ nsd_master_zones_dir }}"
+  xfrdir: "{{ nsd_slave_zones_dir }}"
\ No newline at end of file

roles/nsd/files/unsigned_zones/clutter-project.org

+$TTL 3600
+@    IN    SOA    clutter-project.org. hostmaster.gnome.org.  (
+                2021011800 ; Serial
+                28800      ; Refresh
+                14400      ; Retry
+                1000000    ; Expire
+                21600 )    ; Minimum
+
+    IN    NS    ns-master.gnome.org.
+    IN    NS    ns-slave.gnome.org.
+    IN    MX    10    smtp.gnome.org.
+
+    IN    A   8.43.85.13    
+    IN    A   8.43.85.14
+    IN    A   8.43.85.29
+
+www IN    CNAME    openshift.gnome.org.

roles/nsd/files/unsigned_zones/flatpak.org

+$TTL		300
+
+@		IN	SOA	ns-master.gnome.org. hostmaster.gnome.org. (
+				2020041500      ; Serial
+				28800		; Refresh
+				7200		; Retry
+				604800		; Expire
+				;86400		; Default TTL
+				;3600		; Default TTL
+				300		; Default TTL
+				)
+
+		IN	NS	ns-master.gnome.org.
+		IN	NS	ns-slave.gnome.org.
+
+; front-ams.flathub.org
+		IN	A	46.235.231.150
+		IN	AAAA	2a00:1098:88:12::1
+
+; front-hex2.flathub.org
+		IN	A	46.235.230.111
+		IN	AAAA	2a00:1098:82:e:0:0:1:1
+
+		IN	MX	10 smtp.gnome.org.
+
+docs		IN	CNAME	readthedocs.io.
+
+www		IN	CNAME   @
+
+flatpak.org. IN TXT "libera-iE!2PbqoQsUaDXkRDrbAX2_j"

roles/nsd/files/unsigned_zones/gegl.org

+;
+; BIND data file for gegl.org
+;
+;$TTL		86400
+;$TTL		3600
+$TTL		300
+@		IN	SOA	ns-master.gnome.org. hostmaster.gnome.org. (
+				2010032100	; Serial
+				28800		; Refresh
+				7200		; Retry
+				604800		; Expire
+				;86400		; Default TTL
+				;3600		; Default TTL
+				300		; Default TTL
+				)
+
+		IN	NS	ns-master.gnome.org.
+		IN	NS	ns-slave.gnome.org.
+
+		IN	A	109.74.199.77
+
+		IN	MX	10	smtp.gnome.org.
+
+www		IN	A	109.74.199.77
+
+ftp		IN	CNAME	ftp.gimp.org.

roles/nsd/files/unsigned_zones/gnome.asia

+$TTL        300
+@       IN  SOA ns-master.gnome.org. hostmaster.gnome.org. (
+                2021091400  ; Serial
+                28800       ; Refresh
+                7200        ; Retry
+                604800      ; Expire
+                300     ; Default TTL
+            )
+
+            IN  NS  ns-master.gnome.org.
+            IN  NS  ns-slave.gnome.org.
+
+            IN  A  185.199.108.153
+            IN  A  185.199.109.153
+            IN  A  185.199.110.153
+            IN  A  185.199.111.153
+
+            IN  AAAA 2606:50c0:8000::153
+            IN  AAAA 2606:50c0:8001::153
+            IN  AAAA 2606:50c0:8002::153
+            IN  AAAA 2606:50c0:8003::153
+
+            IN  TXT "v=spf1 a mx a:gnome.asia ip4:34.215.195.175 ?all"
+
+            IN  MX  30 ASPMX5.GOOGLEMAIL.COM.
+            IN  MX  30 ASPMX4.GOOGLEMAIL.COM.
+            IN  MX  30 ASPMX3.GOOGLEMAIL.COM.
+            IN  MX  20 ALT2.ASPMX.L.GOOGLE.COM.
+            IN  MX  30 ASPMX2.GOOGLEMAIL.COM.
+            IN  MX  10 ASPMX.L.GOOGLE.COM.
+            IN  MX  20 ALT1.ASPMX.L.GOOGLE.COM.
+
+
+ftp         IN  A   34.215.195.175
+m           IN  A   34.215.195.175
+localhost   IN  A   127.0.0.1
+webmail     IN  A   34.215.195.175
+admin       IN  A   34.215.195.175
+2011tmp     IN  A   67.207.129.73
+china       IN  A   67.207.131.31
+china2      IN  A   67.207.131.31
+mail        IN  A   209.20.68.30
+rock        IN  A   119.59.73.133
+survey      IN  A   34.215.195.175
+2008        IN  CNAME   rock
+2009        IN  CNAME   rock
+2010        IN  CNAME   rock
+2011        IN  CNAME   rock
+survey2     IN  CNAME   dizi.lyrical.net.
+www         IN  CNAME   gnome-asia.github.io.
+test        IN  CNAME   rock
+zozo        IN  CNAME   rock
+2012        IN  CNAME   gnome.asia.
+2013        IN  CNAME   gnome.asia.
+2014        IN  CNAME   gnome.asia.
+2017        IN  A   52.26.95.19
+2016        IN  A   34.215.195.175
+2015        IN  A   34.215.195.175
+2018        IN  CNAME   gnome-asia.github.io.
+2019        IN  CNAME   gnome-asia.github.io.
+2020        IN  CNAME   openshift.gnome.org.
+
+google3ead69f8239dfb8a  IN  CNAME   google.com.
+
+gnome.asia. IN TXT "github-verification=a7zjTstjyQXRYw49sP6CxDCMF4BGKTGqdZWQGIRDER"

roles/nsd/files/unsigned_zones/gnome.gr

+$TTL		300
+@		IN	SOA	ns-master.gnome.org. hostmaster.gnome.org. (
+			        2022021100	; Serial
+				28800		; Refresh
+				7200		; Retry
+				604800		; Expire
+				;86400		; Default TTL
+				;3600		; Default TTL
+				300		; Default TTL
+				)
+
+                IN	NS	ns-master.gnome.org.
+                IN	NS	ns-slave.gnome.org.
+
+                IN	A   8.43.85.13
+                IN  A   8.43.85.14
+                IN  A   8.43.85.29 
+
+                IN  MX  10  smtp.gnome.org.
+lists           IN  MX  10  smtp.gnome.org.
+
+wiki        IN  CNAME   openshift.gnome.org.
+www         IN  CNAME   openshift.gnome.org.
+
+planet      IN  CNAME   openshift.gnome.org.
+www.planet  IN  CNAME   openshift.gnome.org.
+memory      IN  CNAME   pylyglot.info.tm.
+
+lists       IN  A       8.43.85.13
+            IN  A       8.43.85.14
+            IN  A       8.43.85.29

roles/nsd/files/unsigned_zones/gnome.io

+$TTL 300
+@        IN    SOA    ns-master.gnome.org. hostmaster.gnome.org. (
+                2021011800; Serial
+                28800; Refresh
+                7200; Retry
+                604800; Expire
+                300; Default TTL
+                )
+
+                IN    NS    ns-master.gnome.org.
+                IN    NS    ns-slave.gnome.org.
+
+                MX  10  smtp.gnome.org. 
+
+                IN  A   8.43.85.13
+                IN  A   8.43.85.14
+                IN  A   8.43.85.29
+
+www IN  CNAME    openshift.gnome.org.

roles/nsd/files/unsigned_zones/gnome3.com

+$TTL 3600
+@    IN    SOA    gnome3.com. hostmaster.gnome.org.  (
+                2021011800 ; Serial
+                28800      ; Refresh
+                14400      ; Retry
+                1000000    ; Expire
+                21600 )    ; Minimum
+
+    IN    NS    ns-master.gnome.org.
+    IN    NS    ns-slave.gnome.org.
+    IN    MX    10    smtp.gnome.org.
+
+    IN  A   8.43.85.13    
+    IN  A   8.43.85.14
+    IN  A   8.43.85.29
+
+www IN  CNAME    openshift.gnome.org.

roles/nsd/files/unsigned_zones/gnome3.org

+$TTL 3600
+@    IN    SOA    gnome3.org. hostmaster.gnome.org.  (
+                2021011800 ; Serial
+                28800      ; Refresh
+                14400      ; Retry
+                1000000    ; Expire
+                21600 )    ; Minimum
+
+    IN    NS    ns-master.gnome.org.
+    IN    NS    ns-slave.gnome.org.
+    IN    MX    10    smtp.gnome.org.
+
+    IN    A   8.43.85.13    
+    IN    A   8.43.85.14
+    IN    A   8.43.85.29
+
+www IN    CNAME    openshift.gnome.org.

roles/nsd/files/unsigned_zones/happybirthdaygnome.org

+$TTL 3600
+@    IN    SOA    happybirthdaygnome.org. hostmaster.gnome.org.  (
+                2021011800 ; Serial
+                28800      ; Refresh
+                14400      ; Retry
+                1000000    ; Expire
+                21600 )    ; Minimum
+    IN    NS    ns-master.gnome.org.
+    IN    NS    ns-slave.gnome.org.
+    IN    MX    10    smtp.gnome.org.
+
+    IN  A   8.43.85.13    
+    IN  A   8.43.85.14
+    IN  A   8.43.85.29
+
+www IN  CNAME    openshift.gnome.org.

roles/nsd/files/unsigned_zones/libsoup.org

+$TTL 300
+@        IN    SOA    ns-master.gnome.org. hostmaster.gnome.org. (
+                2022020300; Serial
+                28800; Refresh
+                7200; Retry
+                604800; Expire
+                300; Default TTL
+                )
+
+                IN    NS    ns-master.gnome.org.
+                IN    NS    ns-slave.gnome.org.
+
+                IN  A   8.43.85.13
+                IN  A   8.43.85.14
+                IN  A   8.43.85.29
+
+                IN  TXT "google-site-verification=Mgpz9pg08HGTf7Npx1NQ7bZ3IaG1v0ww9QiS_HB6u4o"
+
+www IN  CNAME    openshift.gnome.org.

roles/nsd/files/unsigned_zones/pango.org

+$TTL 3600
+@	IN	SOA	pango.org. hostmaster.gnome.org.  (
+				2022022100 ; Serial
+				10800      ; Refresh
+				900        ; Retry
+				1000000    ; Expire
+				3600 )     ; Minimum
+	IN	NS	ns-master.gnome.org.
+	IN	NS	ns-slave.gnome.org.
+
+	IN	MX	10	smtp.gnome.org.
+    IN	A   8.43.85.13
+    IN  A   8.43.85.14
+    IN  A   8.43.85.29 
+
+www     IN      CNAME   openshift.gnome.org. 
+wiki    IN      CNAME   openshift.gnome.org.
+old     IN      CNAME   openshift.gnome.org. 

roles/nsd/files/unsigned_zones/pygtk.org

+$TTL 3600
+@    IN    SOA    pygtk.org. hostmaster.gnome.org.  (
+                2021011800 ; Serial
+                28800      ; Refresh
+                14400      ; Retry
+                1000000    ; Expire
+                21600 )    ; Minimum
+
+    IN    NS    ns-master.gnome.org.
+    IN    NS    ns-slave.gnome.org.
+    IN    MX    10    www.async.com.br.
+
+    IN  A   8.43.85.13    
+    IN  A   8.43.85.14
+    IN  A   8.43.85.29
+
+www IN  CNAME    openshift.gnome.org.
+irc IN  CNAME    irc.gnome.org.

roles/nsd/handlers/main.yml

+---
+
+- name: rebuild nsd database
+  command: "{{ nsd_control_program }} rebuild"
+  when: nsd_version == 3
+
+- name: reload nsd database
+  command: "{{ nsd_control_program }} reload"
+
+- name: restart nsd
+  service:
+    name: "{{ nsd_service_name }}"
+    state: restarted
+
+- name: notify slaves
+  command: "{{ nsd_control_program }} notify"

roles/nsd/meta/main.yml

+---
\ No newline at end of file

roles/nsd/tasks/main.yml

+---
+
+- name: Custom role dependant variables (master)
+  include_vars:
+    file: master.yml
+  when: is_master|default(false)
+
+- name: Custom role dependant variables (slave)
+  include_vars:
+    file: slave.yml
+  when: is_slave|default(false)
+
+- name: Install nsd
+  dnf: pkg={{ nsd_pkg_name }} state=present
+
+- name: Create master zones directory
+  file:
+    path: "{{ nsd_master_zones_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Create slave zones directory
+  file:
+    path: "{{ nsd_slave_zones_dir }}"
+    state: directory
+    owner: nsd
+    group: nsd
+    mode: 0755
+
+- name: Create nsd log directory
+  file:
+    path: "{{ nsd_log_dir }}"
+    state: directory
+    owner: nsd
+    group: nsd
+    mode: 0775
+    setype: nsd_log_t
+
+- name: Configure nsd zones
+  template:
+    src: zones_config.j2
+    dest: "{{ nsd_zones_config_file }}"
+    owner: root
+    group: root
+    mode: 0644
+    validate: '/usr/sbin/nsd-checkconf %s'
+  notify:
+    - rebuild nsd database
+    - reload nsd database
+    - restart nsd
+
+- name: Create base nsd configuration file
+  template:
+    src: nsd_config.j2
+    dest: "{{ nsd_config_dir }}/nsd.conf"
+    owner: root
+    group: root
+    mode: 0644
+    validate: '/usr/sbin/nsd-checkconf %s'
+  notify:
+    - restart nsd
+
+- name: Stat against nsd_control.pem
+  stat:
+   path: "{{ nsd_config_dir }}/nsd_control.pem"
+  register: stat_result
+
+- name: Generate nsd control SSL certificates
+  command: "{{ nsd_control_setup_program }}"
+  when: not stat_result.stat.exists
+
+- name: Make sure nsd is running
+  service:
+    name: "{{ nsd_service_name }}"
+    state: started
+    enabled: yes
+
+- name: Copy content of unsigned zones
+  copy:
+    src: "unsigned_zones/{{ item.zone_filename }}"
+    dest: "{{ nsd_master_zones_dir }}/{{ item.zone_filename }}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items: "{{ nsd_unsigned_zones }}"
+  when: is_master|default(false)
+  notify:
+    - rebuild nsd database
+    - reload nsd database
+    - notify slaves
+
+- name: Copy content of signed zones
+  copy:
+    src: "/srv/dns/built/{{ item.zone_filename }}.signed"
+    dest: "{{ nsd_master_zones_dir }}/{{ item.zone_filename }}"
+    owner: root
+    group: root
+    mode: 0644
+    remote_src: yes
+  with_items: "{{ nsd_signed_zones }}"
+  when: is_master|default(false)
+  notify:
+    - rebuild nsd database
+    - reload nsd database
+    - notify slaves
\ No newline at end of file