Merge "Refactor adns variables"

This commit is contained in:
Zuul 2023-04-13 02:31:48 +00:00 committed by Gerrit Code Review
commit 4a101da52a
14 changed files with 65 additions and 51 deletions

View File

@ -6,18 +6,27 @@ DNS
###
The project runs authoritative DNS servers for any constituent
projects that wish to use them. The servers run Bind on a hidden
master which handles automatic DNSSEC zone signing while the public
authoritative servers run NSD.
projects that wish to use them.
Bind is run on a hidden master (`adns01.opendev.org`) which handles
automatic DNSSEC zone signing. Any changes to the zone files are
deployed here.
Secondary public authoritative servers run NSD and take zone transfers
from the hidden primary. These are published in the NS records for
the managed zones.
At a Glance
===========
:Hosts:
* adns01.opendev.org
* ns1.opendev.org
* ns2.opendev.org
:Ansible:
* :git_file:`inventory/service/group_vars/dns.yaml`
* :git_file:`inventory/service/group_vars/adns.yaml`
* :git_file:`inventory/service/group_vars/adns-primary.yaml`
* :git_file:`inventory/service/group_vars/adns-secondary.yaml`
:Projects:
* https://www.nlnetlabs.nl/projects/nsd/
* https://www.isc.org/downloads/bind/doc/

View File

@ -0,0 +1,17 @@
dns_repos:
- name: zone-opendev.org
url: https://opendev.org/opendev/zone-opendev.org
- name: zone-zuul-ci.org
url: https://opendev.org/opendev/zone-zuul-ci.org
- name: zone-gating.dev
url: https://opendev.org/opendev/zone-gating.dev
dns_notify:
- 104.239.140.165
- 162.253.55.16
iptables_extra_allowed_hosts:
- protocol: tcp
port: 53
hostname: ns1.opendev.org
- protocol: tcp
port: 53
hostname: ns2.opendev.org

View File

@ -1,17 +1,12 @@
dns_repos:
- name: zone-opendev.org
url: https://opendev.org/opendev/zone-opendev.org
- name: zone-zuul-ci.org
url: https://opendev.org/opendev/zone-zuul-ci.org
- name: zone-gating.dev
url: https://opendev.org/opendev/zone-gating.dev
dns_notify:
- 104.239.140.165
- 162.253.55.16
iptables_extra_allowed_hosts:
- protocol: tcp
port: 53
hostname: ns1.opendev.org
- protocol: tcp
port: 53
hostname: ns2.opendev.org
dns_zones:
- name: gating.dev
source: zone-gating.dev/zones/gating.dev/
- name: opendev.org
source: zone-opendev.org/zones/opendev.org/
- name: acme.opendev.org
source: zone-opendev.org/zones/acme.opendev.org/
unmanaged: True
- name: zuul-ci.org
source: zone-zuul-ci.org/zones/zuul-ci.org/
- name: zuulci.org
source: zone-zuul-ci.org/zones/zuulci.org/

View File

@ -1,12 +0,0 @@
dns_zones:
- name: gating.dev
source: zone-gating.dev/zones/gating.dev/
- name: opendev.org
source: zone-opendev.org/zones/opendev.org/
- name: acme.opendev.org
source: zone-opendev.org/zones/acme.opendev.org/
unmanaged: True
- name: zuul-ci.org
source: zone-zuul-ci.org/zones/zuul-ci.org/
- name: zuulci.org
source: zone-zuul-ci.org/zones/zuulci.org/

View File

@ -1,6 +1,10 @@
plugin: yamlgroup
groups:
adns: adns*.open*.org
adns:
- adns*.opendev.org
- ns*.opendev.org
adns-primary: adns*.opendev.org
adns-secondary: ns*.opendev.org
afs-server-common:
- afs[0-9]*.openstack.org
- afsdb[0-9]*.openstack.org
@ -51,9 +55,6 @@ groups:
control-plane-clouds:
- bridge*.open*.org
disabled: []
dns:
- adns*.opendev.org
- ns*.opendev.org
eavesdrop: eavesdrop[0-9]*.opendev.org
etherpad: etherpad[0-9]*.opendev.org
gitea:
@ -123,8 +124,6 @@ groups:
- nb[0-9]*.opendev.org
nodepool-launcher:
- nl[0-9]*.open*.org
ns:
- ns[0-9]*.open*.org
paste:
- paste[0-9]*.opendev.org
puppet:

View File

@ -9,7 +9,7 @@
roles:
- letsencrypt-acme-sh-install
- letsencrypt-request-certs
- hosts: "adns:!disabled"
- hosts: "adns-primary:!disabled"
name: "Install txt records"
roles:
- letsencrypt-install-txt-record

View File

@ -5,7 +5,11 @@ results:
adns1.opendev.org:
- adns
- dns
- adns-primary
ns1.opendev.org:
- adns
- adns-secondary
afs01.dfw.openstack.org:
- afs-server-common

View File

@ -1,11 +1,11 @@
- hosts: adns:!disabled
name: "Base: configure adns server"
- hosts: adns-primary:!disabled
name: "Base: configure primary authoritative nameserver"
roles:
- iptables
- master-nameserver
- hosts: "ns1.opendev.org:ns2.opendev.org:!disabled"
name: "Base: configure authoritative nameservers"
- hosts: "adns-secondary:!disabled"
name: "Base: configure secondary authoritative nameservers"
roles:
- iptables
- nameserver

View File

@ -114,11 +114,11 @@
dest: "/etc/ansible/hosts/{{ item }}"
loop:
- group_vars/all.yaml
- group_vars/adns.yaml
- group_vars/adns-primary.yaml
- group_vars/adns-secondary.yaml
- group_vars/bastion.yaml
- group_vars/eavesdrop.yaml
- group_vars/nodepool.yaml
- group_vars/ns.yaml
- group_vars/registry.yaml
- group_vars/gitea.yaml
- group_vars/gitea-lb.yaml

View File

@ -152,7 +152,8 @@
- inventory/base
- playbooks/service-nameserver.yaml
- inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/ns.yaml
- inventory/service/group_vars/adns-primary.yaml
- inventory/service/group_vars/adns-secondary.yaml
- playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/
- playbooks/roles/iptables/

View File

@ -440,10 +440,11 @@
'/var/lib/bind/zones': logs
files:
- playbooks/bootstrap-bridge.yaml
- inventory/service/group_vars/adns-primary.yaml
- inventory/service/group_vars/adns-secondary.yaml
- inventory/service/group_vars/adns.yaml
- inventory/service/group_vars/dns.yaml
- playbooks/zuul/templates/group_vars/adns.yaml.j2
- playbooks/zuul/templates/group_vars/ns.yaml.j2
- playbooks/zuul/templates/group_vars/adns-primary.yaml.j2
- playbooks/zuul/templates/group_vars/adns-secondary.yaml.j2
- playbooks/roles/master-nameserver/
- playbooks/roles/nameserver/
- testinfra/test_adns.py