Merge branch '18-authoritative-dns-server' into 'master'

Resolve "Authoritative DNS Server" Closes #18 See merge request !133

Merge branch '18-authoritative-dns-server' into 'master'
192c354c · skorpy · d5344bf3 · 8dd8ea31 · 192c354c · 192c354c
Commit 192c354c authored 7 years ago by skorpy
--- a/apt/files/keys/knot.gpg
+++ b/apt/files/keys/knot.gpg
--- a/apt/init.sls
+++ b/apt/init.sls
@@ -2,8 +2,10 @@
 ## APT
 #

-apt-transport-https:
-  pkg.installed
+include:
+  - apt.transport.https
+  - apt.unattended-upgrades
+  - apt.freifunk

 python-apt:
  pkg.installed
@@ -11,8 +13,6 @@ python-apt:
 debian-archive-keyring:
  pkg.installed

-
-
 {% if grains['osfinger'] == "Debian-8" %}
 /etc/apt/sources.list:
  file.managed:
@@ -58,7 +58,3 @@ ffffm-repo:
      - pkg: python-apt
      - pkg: apt-transport-https

-include:
-  - apt.unattended-upgrades
-  - apt.freifunk
-
--- a/apt/repository/knot-dns.sls
+++ b/apt/repository/knot-dns.sls
+include:
+  - apt.transport.https
+
+knot-dns-deb:
+  pkgrepo.managed:
+    - humanname: knot-dns.cz/knot/
+{%- if grains['osfinger'] == 'Debian-8' %}
+    - name: deb https://deb.knot-dns.cz/knot/ jessie main
+    - dist: jessie
+{%- else %}
+    - name: deb https://deb.knot-dns.cz/knot/ stretch main
+    - dist: stretch
+{%- endif %}
+    - file: /etc/apt/sources.list.d/knot.list
+    - key_url: salt://apt/files/keys/knot.gpg
+    - require:
+      - pkg: python-apt
+      - pkg: apt-transport-https
+
+knot-common:
+  pkg.installed:
+    - pkgs:
+      - knot-dnsutils
+      - knot-host
+
--- a/apt/repository/nodejs.sls
+++ b/apt/repository/nodejs.sls
+include:
+  - apt.transport.https
+
 nodejs:
  pkgrepo.managed:
    - humanname: nodejs

--- a/apt/repository/yarn.sls
+++ b/apt/repository/yarn.sls
+include:
+  - apt.transport.https
+
 yarn:
  pkgrepo.managed:
    - humanname: yarn

--- a/apt/transport/https.sls
+++ b/apt/transport/https.sls
+apt-transport-https:
+  pkg.installed
--- a/example-pillar/knot-dns.sls
+++ b/example-pillar/knot-dns.sls
+knot-dns:
+  repository:
+    remote: https://chaos.expert/FFFFM/zones
+    branch: master
--- a/example-pillar/top.sls
+++ b/example-pillar/top.sls
@@ -2,6 +2,7 @@
 base:
  '*':
    - ffadmin
+    - knot-dns
 #   excluded for simplicity
 #  '{{ grains['id'] }}':
 #    - host.{{ hostname }}

--- a/knot-dns/files/ferm.conf.j2
+++ b/knot-dns/files/ferm.conf.j2
+{%- set listen4 = ' '.join(grains.fqdn_ip4) -%}
+{%- set listen6 = ' '.join(grains.fqdn_ip6) -%}
+
+domain (ip ip6) {
+  table filter {
+    chain INPUT {
+      daddr ({{ listen4 }} {{ listen6 }}) {
+        proto (udp tcp) dport 53 ACCEPT;
+      }
+    }
+  }
+}
--- a/knot-dns/files/knot.conf.j2
+++ b/knot-dns/files/knot.conf.j2
+#
+# This is a sample of a minimal configuration file for Knot DNS.
+# For more details, see man 5 knot.conf or refer to the server documentation.
+#
+
+server:
+    # Listen on all configured IPv4 interfaces.
+    listen: 0.0.0.0@53
+    # Listen on all configured IPv6 interfaces.
+    listen: ::@53
+    # User for running the server.
+    user: knot:knot
+log:
+    # Log info and more serious events to syslog.
+  - target: syslog
+    any: info
+mod-synth-record:
+  - id: fb00
+    type: reverse
+    prefix: dynamic-
+    origin: as64475.space
+    ttl: 200
+    network: 2a06:8187:fb00::/40
+  - id: v420062008
+    type: reverse
+    prefix: dynamic-
+    origin: as64475.space
+    ttl: 200
+    network: 185.206.208.0/24
+
+mod-rrl:
+  - id: default
+    rate-limit: 200   # Allow 200 resp/s for each flow
+    slip: 2           # Every other response slips
+
+template:
+  - id: default
+    file: /var/lib/knot/zones/%s.zone
+    serial-policy: unixtime
+    storage: /var/lib/knot
+    global-module: [mod-stats, mod-rrl/default]
+  - id: reverseV4
+    storage: "/var/lib/knot/zones/"
+    file: /var/lib/knot/zones/%s.zone
+    serial-policy: unixtime
+    module: mod-synth-record/v420062008
+  - id: reverseV6
+    storage: "/var/lib/knot/zones/"
+    file: /var/lib/knot/zones/%s.zone
+    serial-policy: unixtime
+    module: mod-synth-record/fb00
+
+zone:
+  - domain: b.f.7.8.1.8.6.0.a.2.ip6.arpa.
+    template: reverseV6
+  - domain: 208.206.185.in-addr.arpa.
+    template: reverseV4
+  - domain: ffffm.net
+  - domain: as64475.net
+  - domain: as64475.space
+  - domain: freifunk-frankfurt.de
+  - domain: ffm-freifunk.net
+  - domain: freifunk-ffm.de
+  - domain: freifunkfrankfurt.de
+  - domain: reifunk.net
+  - domain: freifunk.fail
+  - domain: ffm.freifunk.online
+  - domain: frankfurt.freifunk.online
+
--- a/knot-dns/init.sls
+++ b/knot-dns/init.sls
+{% set knot = pillar['knot-dns'] %}
+
+include:
+  - apt.repository.knot-dns
+  - ferm
+
+knot:
+  pkg.installed:
+    - pkgs:
+      - knot
+  service.running:
+    - name: knot
+    - enable: True
+    - watch:
+      - pkg: knot-dns
+      - file: /etc/knot/knot.conf
+      - file: /var/lib/knot/zones/
+
+/etc/knot/knot.conf:
+  file.managed:
+    - source: salt://knot-dns/files/knot.conf.j2
+    - user: knot
+    - group: knot
+    - mode: 644
+    - template: jinja
+    - require:
+      - pkg: knot
+
+
+/var/lib/knot/:
+  file.directory:
+    - user: knot
+    - group: knot
+    - require:
+      - pkg: knot
+
+
+/var/lib/knot/zones/:
+  git.latest:
+    - name: {{ knot['repository']['remote'] }}
+    - branch: {{ knot['repository']['branch'] }}
+    - target: /var/lib/knot/zones/
+    - watch_in:
+      - service: knot
+    - require:
+      - pkg: git
+      - pkg: knot
+
+/etc/ferm/conf.d/40-knot.conf:
+  file.managed:
+    - source: salt://knot-dns/files/ferm.conf.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - require:
+      - file: /etc/ferm/conf.d
--- a/top.sls
+++ b/top.sls
@@ -62,6 +62,7 @@ base:
    - bird.bgp
    - bird.ospf
    - network
+    - knot-dns
    - mmfd
    - l3roamd
  'access-*.batman.ffm.freifunk.net':
@@ -75,3 +76,6 @@ base:
  'prometheus.ffm.freifunk.net':
    - letsencrypt
    - nginx
+  '*.ns.*.*':
+    - knot-dns
+