tsig for nn (#215)

james-otten · web-flow · commit 02745e21676b · 2025-05-29T21:40:50.000-04:00
* tsig for nn

* deploy

* update to knot 3.3

* fix

* fix

* fix

* fix

* fix

* fix

* fix

* clean
diff --git a/.github/workflows/deploy_dns_environment.yaml b/.github/workflows/deploy_dns_environment.yaml
@@ -27,6 +27,7 @@ env:
   TF_VAR_tsig_key_10_r630_01: "${{ secrets.TF_VAR_TSIG_KEY_10_R630_01 }}"
   TF_VAR_tsig_key_713_r640_01: "${{ secrets.TF_VAR_TSIG_KEY_713_R640_01 }}"
   TF_VAR_tsig_key_doh: "${{ secrets.TF_VAR_TSIG_KEY_DOH }}"
+  TF_VAR_tsig_key_nn: "${{ secrets.TF_VAR_TSIG_KEY_NN }}"
   # Credentials for deployment to AWS
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/infra/ansible/roles/knot_authoritative/files/cznic-labs-knot-dns.list b/infra/ansible/roles/knot_authoritative/files/cznic-labs-knot-dns.list
@@ -0,0 +1 @@
+deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns bookworm main
diff --git a/infra/ansible/roles/knot_authoritative/files/knot.apt.preferences.txt b/infra/ansible/roles/knot_authoritative/files/knot.apt.preferences.txt
@@ -0,0 +1,3 @@
+Package: knot knot-* libdnssec* libzscanner* libknot* python3-libknot*
+Pin-Priority: 1001
+Pin: version 3.4.6
diff --git a/infra/ansible/roles/knot_authoritative/tasks/main.yaml b/infra/ansible/roles/knot_authoritative/tasks/main.yaml
@@ -1,3 +1,27 @@
+- name: Download knot gpg key
+  ansible.builtin.get_url:
+    url: https://pkg.labs.nic.cz/gpg
+    dest: /usr/share/keyrings/cznic-labs-pkg.gpg
+    mode: "0644"
+    owner: root
+    group: root
+
+- name: Setup knot apt repo
+  ansible.builtin.copy:
+    src: cznic-labs-knot-dns.list
+    dest: /etc/apt/sources.list.d/cznic-labs-knot-dns.list
+    mode: "644"
+    owner: root
+    group: root
+
+- name: Pin knot package
+  ansible.builtin.copy:
+    src: knot.apt.preferences.txt
+    dest: /etc/apt/preferences.d/knot
+    mode: "644"
+    owner: root
+    group: root
+
 - name: Install deps
   ansible.builtin.apt:
     lock_timeout: 240
@@ -10,7 +34,7 @@
       - python3-pip
       - python3.11-venv
       - dnsutils
-      - knot
+      - knot=3.4.6-cznic.1~bookworm
 
 - name: Knot DNS Config
   ansible.builtin.template:
diff --git a/infra/ansible/roles/knot_authoritative/templates/knot.conf.j2 b/infra/ansible/roles/knot_authoritative/templates/knot.conf.j2
@@ -50,6 +50,9 @@ key:
   - id: doh.mesh.nycmesh.net.
     algorithm: hmac-sha512
     secret: {{ TSIG_KEY_DOH }}
+  - id: nn.mesh.nycmesh.net.
+    algorithm: hmac-sha512
+    secret: {{ TSIG_KEY_NN }}
   - id: ha.mesh.nycmesh.net.
     algorithm: hmac-sha512
     secret: {{ TSIG_KEY_HOMEASSISTANT }}
@@ -109,6 +112,12 @@ acl:
     update-owner-match: equal
     update-owner-name: acme-challenge.doh.mesh.nycmesh.net.
     key: doh.mesh.nycmesh.net.
+  - id: acl-update-nn
+    action: update
+    update-type: [TXT]
+    update-owner-match: pattern
+    update-owner-name: acme-challenge.*.nn.mesh.nycmesh.net.
+    key: nn.mesh.nycmesh.net.
   - id: acl-update-ha
     action: update
     update-type: [TXT]
@@ -125,6 +134,7 @@ zone:
     acl: acl-update-doh
   - domain: nn.mesh.nycmesh.net
     file: nn.zone
+    acl: acl-update-nn
   - domain: ha.mesh.nycmesh.net
     file: ha.mesh.nycmesh.net.zone
     acl: acl-update-ha
diff --git a/infra/terraform/dns.tf b/infra/terraform/dns.tf
@@ -37,6 +37,7 @@ module "some_mesh_dns_servers" {
   tsig_key_713_r640_01            = var.tsig_key_713_r640_01
   tsig_key_ha                     = var.tsig_key_ha
   tsig_key_doh                    = var.tsig_key_doh
+  tsig_key_nn                     = var.tsig_key_nn
   enable_doh                      = var.enable_doh
   main_auth_server_ip             = var.main_auth_server_ip
   mesh_stub_resolver              = var.mesh_stub_resolver
diff --git a/infra/terraform/mesh_dns_servers/ansible.tf b/infra/terraform/mesh_dns_servers/ansible.tf
@@ -31,6 +31,7 @@ resource "ansible_group" "knot-authoritative" {
     TSIG_KEY_10_R630_01          = var.tsig_key_10_r630_01
     TSIG_KEY_713_R640_01         = var.tsig_key_713_r640_01
     TSIG_KEY_DOH                 = var.tsig_key_doh
+    TSIG_KEY_NN                  = var.tsig_key_nn
     TSIG_KEY_HOMEASSISTANT       = var.tsig_key_ha
   }
 }
diff --git a/infra/terraform/mesh_dns_servers/vars.tf b/infra/terraform/mesh_dns_servers/vars.tf
@@ -218,6 +218,12 @@ variable "tsig_key_doh" {
   sensitive   = true
 }
 
+variable "tsig_key_nn" {
+  type        = string
+  description = "TSIG key for the nn.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
 variable "tsig_key_ha" {
   type        = string
   description = "TSIG key for the ha.mesh.nycmesh.net zone"
diff --git a/infra/terraform/vars.tf b/infra/terraform/vars.tf
@@ -217,6 +217,12 @@ variable "tsig_key_doh" {
   sensitive   = true
 }
 
+variable "tsig_key_nn" {
+  type        = string
+  description = "TSIG key for the nn.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
 variable "tsig_key_ha" {
   type        = string
   description = "TSIG key for the ha.mesh.nycmesh.net zone"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-dns bookworm main`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Package: knot knot-* libdnssec* libzscanner* libknot* python3-libknot*`
	`2`	`+Pin-Priority: 1001`
	`3`	`+Pin: version 3.4.6`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ resource "ansible_group" "knot-authoritative" {`
`31`	`31`	`TSIG_KEY_10_R630_01 = var.tsig_key_10_r630_01`
`32`	`32`	`TSIG_KEY_713_R640_01 = var.tsig_key_713_r640_01`
`33`	`33`	`TSIG_KEY_DOH = var.tsig_key_doh`
	`34`	`+ TSIG_KEY_NN = var.tsig_key_nn`
`34`	`35`	`TSIG_KEY_HOMEASSISTANT = var.tsig_key_ha`
`35`	`36`	`}`
`36`	`37`	`}`