blub

.gitignore

@@ -158,3 +158,5 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+vault/secret

ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+vault_password_file = ./vault/secret

production.yaml

@@ -1,11 +1,15 @@
-authoritative-dns:
+autosecondaries:
   hosts:
-    dns.lauka.net:
-      ipv4: 212.132.71.126
-      ipv6: 2a02:247a:271:cc00::1
+    dns-a.ns.queer-dns.com:
+      ipv4: 130.61.98.23
+      ipv6: 2603:c020:8008:753:d361:ad83:51fd:3644
     dns.itslaura.eu:
       ipv4: 5.250.191.170
       ipv6: 2001:ba0:217:e400::1
     dns.0xbe.be:
       ipv4: 194.164.17.227
       ipv6: 2a00:da00:f218:6300::1
+hidden_primary:
+  hosts:
+    queer-primary.lauka-home.neta:
+      public_ipv6: 2a00:da00:f218:6300::1 # TODO

roles/hidden_primary/tasks/knot.yml

@@ -0,0 +1,24 @@
+#- name: Create /usr/share/keyrings directory
+#  ansible.builtin.file:
+#    path: /usr/share/keyrings
+#    state: directory
+#    mode: '0755'
+#
+#- name: Download KnotDNS Repo Signing Key
+#  ansible.builtin.get_url:
+#    url: https://pkg.labs.nic.cz/gpg
+#    dest: /usr/share/keyrings/cznic-labs-pkg.gpg
+#    mode: '0644'
+#
+#- name: Add KnotDNS Repository
+#  ansible.builtin.apt_repository:
+#    repo: deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns bookworm main
+#    state: present
+#
+#- name: Install KnotDNS
+#  ansible.builtin.apt:
+#    pkg:
+#      - knot
+#    state: latest
+#    update_cache: yes
+#  register: package_install

roles/hidden_primary/tasks/main.yml

@@ -1,28 +1,104 @@
-#- name: Create /etc/apt/keyrings directory
+- name: Include secrets.yml
+  ansible.builtin.include_vars:
+    file: secrets.yml
+
+- name: Create /etc/apt/keyrings directory
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: '0755'
+
+#- name: Create /usr/share/postgresql-common/pgdg directory
 #  ansible.builtin.file:
-#    path: /etc/apt/keyrings
+#    path: /usr/share/postgresql-common/pgdg
 #    state: directory
 #    mode: '0755'
-#
-#- name: Download PowerDNS Repo Signing Key
-#  ansible.builtin.get_url:
-#    url: https://repo.powerdns.com/FD380FBB-pub.asc
-#    dest: /etc/apt/keyrings/auth-48-pub.asc
-#    mode: '0644'
-#
-#- name: Add PowerDNS Repository
-#  ansible.builtin.apt_repository:
-#    repo: deb [signed-by=/etc/apt/keyrings/auth-48-pub.asc arch=amd64] http://repo.powerdns.com/debian bookworm-auth-48 main
-#    state: present
-#
-#- name: Install PowerDNS
-#  ansible.builtin.apt:
-#    pkg:
-#      - pdns-server
-#      - pdns-backend-sqlite3
+
+- name: Download PostgreSQL Repo Signing Key
+  ansible.builtin.get_url:
+    url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
+    dest: /etc/apt/keyrings/apt.postgresql.org.asc
+    mode: '0644'
+
+- name: Add PostgreSQL Repository
+  ansible.builtin.apt_repository:
+    repo: deb [signed-by=/etc/apt/keyrings/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt bookworm-pgdg main
+    state: present
+
+- name: Install PostgreSQL
+  ansible.builtin.apt:
+    pkg:
+      - postgresql-16
+      #- sqlite3
     # state: latest
-#    update_cache: yes
-#  register: package_install
+    update_cache: yes
+  register: deb_postgresql_install
+
+- name: Configure PostgreSQL pg_hba.conf
+  ansible.builtin.template:
+    src: pg_hba.conf
+    dest: /etc/postgresql/16/main/pg_hba.conf
+    owner: postgres
+    group: postgres
+    mode: '0640'
+  register: conf_postgresql_pg_hba
+
+- name: Create PostgreSQL Database
+  shell: psql -c "CREATE ROLE {{ pdns_pgsql_user }} WITH LOGIN PASSWORD '{{ pdns_pgsql_password }}';" -c "CREATE DATABASE {{ pdns_pgsql_database }} WITH OWNER = {{ pdns_pgsql_user }} encoding = 'UTF8';"
+  become: true
+  become_user: postgres
+  when: deb_postgresql_install.changed
+
+- name: Download PowerDNS PostgreSQL Schema
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/PowerDNS/pdns/master/modules/gpgsqlbackend/schema.pgsql.sql
+    dest: /var/lib/postgresql/powerdns_schema.sql
+    owner: postgres
+    group: postgres
+    mode: '0600'
+
+- name: Apply PowerDNS PostgreSQL Schema
+  shell: "psql < /var/lib/postgresql/powerdns_schema.sql"
+  become: true
+  become_user: postgres
+  environment:
+    PGHOSTADDR: 127.0.0.1
+    PGDATABASE: "{{ pdns_pgsql_database }}"
+    PGUSER: "{{ pdns_pgsql_user }}"
+    PGPASSWORD: "{{ pdns_pgsql_password }}"
+  when: deb_postgresql_install.changed
+
+- name: Enable PostgreSQL
+  ansible.builtin.service:
+    name: postgresql
+    enabled: true
+
+- name: Restart PostgreSQL
+  ansible.builtin.service:
+    name: postgresql@16-main
+    state: restarted
+  when: conf_postgresql_pg_hba.changed
+
+- name: Download PowerDNS Repo Signing Key
+  ansible.builtin.get_url:
+    url: https://repo.powerdns.com/FD380FBB-pub.asc
+    dest: /etc/apt/keyrings/auth-48-pub.asc
+    mode: '0644'
+
+- name: Add PowerDNS Repository
+  ansible.builtin.apt_repository:
+    repo: deb [signed-by=/etc/apt/keyrings/auth-48-pub.asc arch=amd64] http://repo.powerdns.com/debian bookworm-auth-48 main
+    state: present
+
+- name: Install PowerDNS and prerequisites
+  ansible.builtin.apt:
+    pkg:
+      - pdns-server
+      - pdns-backend-pgsql
+      #- sqlite3
+    # state: latest
+    update_cache: yes
+  register: deb_powerdns_install
 
 - name: Print groups
   ansible.builtin.debug:
@@ -34,24 +110,32 @@
     var: hostvars
     verbosity: 2
 
-- name: Get AXFR IP List
-  build_axfr_list:
-    key: ipv6
-    group: autosecondaries
-    hostvars: "{{ hostvars }}"
-    hosts: "{{ groups['autosecondaries'] }} "
-  register: axfr_list
-
 - name: Print return information from the previous task
   ansible.builtin.debug:
     var: axfr_list
     verbosity: 2
 
+- name: Set AXFR List as fact
+  set_fact:
+    axfr_ipv6: "{{ groups['autosecondaries']|default([])|map('extract', hostvars)|map(attribute='ipv6')|list|sort }}"
+
+
 - name: Configure PowerDNS
   ansible.builtin.template:
     src: pdns.conf.j2
     dest: /etc/powerdns/pdns.conf
     owner: root
     group: root
-    mode: '0640'
-  register: rsyslog_config
+    mode: '0644'
+  register: pdns_config
+
+- name: Enable PowerDNS
+  ansible.builtin.service:
+    name: pdns
+    enabled: true
+
+- name: Restart PowerDNS
+  ansible.builtin.service:
+    name: pdns
+    state: restarted
+  when: pdns_config.changed

roles/hidden_primary/templates/knot.conf.j2

@@ -0,0 +1,31 @@
+# Example of a very simple Knot DNS configuration.
+
+server:
+  listen: 0.0.0.0@53
+  listen: ::@53
+  identity: {{ ansible_hostname }}
+  version: 
+  user: knot:knot
+  async-start: off
+  automatic-acl: on
+
+database:
+  storage: "/var/lib/knot"
+
+#remote:
+#  - id: secondary
+#    address: 192.168.1.1@53
+#
+#  - id: primary
+#    address: 192.168.2.1@53
+
+template:
+  - id: default
+    storage: "/var/lib/knot"
+    file: "%s.zone"
+
+log:
+  - target: syslog
+    any: info
+
+include: STR

roles/hidden_primary/templates/knot.pinning.j2

@@ -0,0 +1,2 @@
+Package: knot knot-* libdnssec* libzscanner* libknot* python3-libknot*
+Pin-Priority: 1001

roles/hidden_primary/templates/pdns.conf.j2

@@ -1,8 +1,33 @@
-launch=gsqlite3
-gsqlite3-database=/var/lib/powerdns/powerdns.db
+launch=gpgsql
+local-address={{ hostvars[inventory_hostname].public_ipv6 }}
 local-port=36419
 
-allow-axfr-ips={{ axfr_list.axfr_list | join(",") }}
+gpgsql-host=/var/run/postgresql
+gpgsql-dbname={{ pdns_pgsql_database }}
+gpgsql-user={{ pdns_pgsql_user }}
+gpgsql-password={{ pdns_pgsql_password }}
+gpgsql-dnssec=yes
+
+
+# gpgsql-get-order-first-query=select ordername from records where domain_id = $1 and disabled = false and ordername is not null order by 1 asc limit 1
+# gpgsql-get-order-before-query=select ordername, name from records where ordername <= $1 and domain_id = $2 and disabled = false and ordername is not null order by 1 desc limit 1
+# gpgsql-get-order-after-query=select ordername from records where ordername > $1 and domain_id = $2 and disabled = false and ordername is not null order by 1 asc limit 1
+# gpgsql-get-order-last-query=select ordername, name from records where ordername != '' and domain_id = $1 and disabled = false and ordername is not null order by 1 desc limit 1
+
+
+primary=yes
+api=yes
+api-key={{ pdns_web_apikey }}
+webserver=False
+webserver-port=8080
+webserver-address=::1
+webserver-allow-from=127.0.0.1
+webserver-password={{ pdns_web_apikey }}
+allow-axfr-ips={{ axfr_ipv6 | join(",") }}
+disable-axfr=no
+only-notify=
+also-notify={{ axfr_ipv6 | join(",") }}
+
 
 secondary=no
 autosecondary=no

roles/hidden_primary/templates/pg_hba.conf

@@ -0,0 +1,132 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# ----------------------
+# Authentication Records
+# ----------------------
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local         DATABASE  USER  METHOD  [OPTIONS]
+# host          DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl     DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostgssenc    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnogssenc  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type:
+# - "local" is a Unix-domain socket
+# - "host" is a TCP/IP socket (encrypted or not)
+# - "hostssl" is a TCP/IP socket that is SSL-encrypted
+# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
+# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
+# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, a regular expression (if it starts with a slash (/))
+# or a comma-separated list thereof.  The "all" keyword does not match
+# "replication".  Access to replication must be enabled in a separate
+# record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", a
+# regular expression (if it starts with a slash (/)) or a comma-separated
+# list thereof.  In both the DATABASE and USER fields you can also write
+# a file name prefixed with "@" to include names from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches.  It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask.  A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts.  Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE.  The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted.  Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# ---------------
+# Include Records
+# ---------------
+#
+# This file allows the inclusion of external files or directories holding
+# more records, using the following keywords:
+#
+# include           FILE
+# include_if_exists FILE
+# include_dir       DIRECTORY
+#
+# FILE is the file name to include, and DIR is the directory name containing
+# the file(s) to include.  Any file in a directory will be loaded if suffixed
+# with ".conf".  The files of a directory are ordered by name.
+# include_if_exists ignores missing files.  FILE and DIRECTORY can be
+# specified as a relative or an absolute path, and can be double-quoted if
+# they contain spaces.
+#
+# -------------
+# Miscellaneous
+# -------------
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal.  If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# ----------------------------------
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records.  In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+
+
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     scram-sha-256
+# IPv4 local connections:
+host    all             all             127.0.0.1/32            scram-sha-256
+# IPv6 local connections:
+host    all             all             ::1/128                 scram-sha-256
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+local   replication     all                                     peer
+host    replication     all             127.0.0.1/32            scram-sha-256
+host    replication     all             ::1/128                 scram-sha-256

roles/hidden_primary/vars/secrets.yml

@@ -0,0 +1,14 @@
+$ANSIBLE_VAULT;1.1;AES256
+62626237363835666239393637336662303566346330336264643539666662353436633633613031
+3366353432346231356536663237653131393364353037320a396234366666636238633563386433
+30626133343833613562613533346665623139383362333438663435363465306338356665363462
+6465303063633462660a656266663533346633613262623838633562386133306538393361613739
+64313864323030336238313661333631313962313636616364393364633238363435613633303961
+39373161393634643631373863343266636332656136333964636234393131303561633263626363
+36626139383165343863306363396539653737386134306433613463313837303361303332383631
+31303636306430663363393337613166316334323735386466663534656162343536346162303038
+35623838313131636562303765316139373739613831386265303863663837313330373331643561
+30333239313665393164643931353635353639343935663330373030393433323364316161323830
+62613033646133366564386230303332333136636235366231663037366631646434613437306536
+66373463343139373462643432376232633936626662393565346166376663636638623266306366
+6439

staging.yaml

@@ -2,14 +2,14 @@ autosecondaries:
   hosts:
     auth-dns-01.test.lauka-home.net:
       ipv4: 130.61.98.23
-      ipv6: 2603:c020:8008:753:d361:ad83:51fd:3644
+      ipv6: fdf6:8c9d::60
     auth-dns-02.test.lauka-home.net:
       ipv4: 5.250.191.170
-      ipv6: 2001:ba0:217:e400::1
+      ipv6: fdf6:8c9d::61
     auth-dns-03.test.lauka-home.net:
       ipv4: 194.164.17.227
-      ipv6: 2a00:da00:f218:6300::1
+      ipv6: fdf6:8c9d::62
 hidden_primary:
   hosts:
-    queer-primary.lauka-home.net:
-      public_v6: 2a00:da00:f218:6300::1 # TODO
+    hidden-primary.test.lauka-home.net:
+      public_ipv6: fdf6:8c9d::70 # TODO

vars/main.yml

@@ -0,0 +1 @@
+# Global vars