expand anycast DNS deployment to all routers

dns.yml

@@ -0,0 +1,74 @@
+- name: Configure DNS servers
+  hosts: routers
+  remote_user: root
+  tasks:
+    - name: Install bind on Arch
+      ansible.builtin.package:
+        name: bind
+        state: present
+      when: ansible_distribution == 'Archlinux'
+    - name: Install bind on Debian
+      ansible.builtin.package:
+        name: bind9
+        state: present
+      when: ansible_distribution == 'Debian'
+    - name: Configure DNS server named.conf files
+      ansible.builtin.template:
+        src: dns/named.conf.j2
+        dest: /etc/named.conf
+        mode: '0644'
+    - name: Use our config file on Debian
+      ansible.builtin.copy:
+        src: dns/named-debian.conf
+        dest: /etc/bind/named.conf
+        mode: '0644'
+      when: ansible_distribution == 'Debian'
+    - name: Ensure /var/named exists on Arch
+      ansible.builtin.file:
+        path: /var/named
+        state: directory
+        mode: '0770'
+        owner: root
+        group: named
+      when: ansible_distribution == 'Archlinux'
+    - name: Ensure /var/named exists on Debian
+      ansible.builtin.file:
+        path: /var/named
+        state: directory
+        mode: '0770'
+        owner: root
+        group: bind
+      when: ansible_distribution == 'Debian'
+    - name: Add DNS dummy interface netdev
+      ansible.builtin.copy:
+        src: dns/igp-dummy-dns.netdev
+        dest: /etc/systemd/network/igp-dummy-dns.netdev
+        mode: '0644'
+    - name: Add DNS dummy interface network
+      ansible.builtin.copy:
+        src: dns/igp-dummy-dns.network
+        dest: /etc/systemd/network/igp-dummy-dns.network
+        mode: '0644'
+    - name: Reload named
+      ansible.builtin.systemd:
+        name: named
+        state: reloaded
+        enabled: true
+    - name: Reload systemd-networkd
+      ansible.builtin.command: networkctl reload
+    - name: Turn off systemd-resolved
+      ansible.builtin.systemd:
+        name: systemd-resolved
+        state: stopped
+        enabled: false
+      ignore_errors: true
+    - name: Push resolv.conf
+      ansible.builtin.copy:
+        src: dns/resolv.conf
+        dest: /etc/resolv.conf
+        mode: '0644'
+    - name: Suppress proxmox resolv.conf meddling
+      ansible.builtin.file:
+        path: /etc/.pve-ignore-resolv.conf
+        state: touch
+        mode: '0644'

dns/igp-dummy-dns.netdev

@@ -0,0 +1,3 @@
+[NetDev]
+Name=igp-dummy-dns
+Kind=dummy

dns/igp-dummy-dns.network

@@ -0,0 +1,6 @@
+[Match]
+Name=igp-dummy-dns
+
+[Network]
+Address=172.22.161.21/32
+Address=fd32:6b0:70a6:53::53/128

dns/named-debian.conf

@@ -0,0 +1 @@
+include "/etc/named.conf";

dns/named.conf.j2

@@ -0,0 +1,72 @@
+// vim:set ts=4 sw=4 et:
+
+options {
+    directory "/var/named";
+    pid-file "/run/named/named.pid";
+
+    // Uncomment these to enable IPv6 connections support
+    // IPv4 will still work:
+    listen-on-v6 { any; };
+    // Add this for no IPv4:
+    //  listen-on { none; };
+
+    allow-recursion { 127.0.0.1; ::1; 172.22.161.0/27; fd32:6b0:70a6::/48; {% if inventory_hostname == 'us1.routers.9pfs.dn42' %} 192.168.19.0/24; {% endif %} };
+    allow-transfer { fd32:6b0:70a6:53::/64; 127.0.0.1; ::1; 172.22.161.10; fd32:6b0:70a6:3000::1; fd32:6b0:70a6:179::/64; };
+    allow-update { none; };
+    version none;
+    hostname none;
+    server-id none;
+    validate-except {
+        "3.10.in-addr.arpa";
+        "ts.net";
+        "dn42";
+        "20.172.in-addr.arpa";
+        "21.172.in-addr.arpa";
+        "22.172.in-addr.arpa";
+        "23.172.in-addr.arpa";
+        "d.f.ip6.arpa";
+    };
+    empty-zones-enable no;
+{% if inventory_hostname == 'us1.routers.9pfs.dn42' %}
+    notify-source-v6 fd32:6b0:70a6:53::ffff;
+{% else %}
+    catalog-zones {
+        zone "catalog.9pfs.dn42" default-primaries { fd32:6b0:70a6:53::ffff; };
+    };
+{% endif %}
+};
+
+{% if inventory_hostname == 'us1.routers.9pfs.dn42' %}
+{% include 'us1-named.conf.j2' %}
+{% else %}
+zone "catalog.9pfs.dn42" {
+    file "catalog.9pfs.dn42.zone";
+    type secondary;
+    primaries {
+        fd32:6b0:70a6:53::ffff;
+    };
+};
+
+{% endif %}
+
+//zone "example.org" IN {
+//    type secondary;
+//    file "example.zone";
+//    primaries {
+//        192.168.1.100;
+//    };
+//    allow-query { any; };
+//    allow-transfer { any; };
+//};
+
+//logging {
+//    channel xfer-log {
+//        file "/var/log/named.log";
+//            print-category yes;
+//            print-severity yes;
+//            severity info;
+//        };
+//        category xfer-in { xfer-log; };
+//        category xfer-out { xfer-log; };
+//        category notify { xfer-log; };
+//};

dns/notify-list.j2

@@ -0,0 +1,11 @@
+also-notify {
+{% for host in ansible_play_hosts %}
+{% if host != inventory_hostname %}
+{{ hostvars[host].unicastv6 }};
+{% endif %}
+{% endfor %}
+{# TODO: remove these #}
+fd32:6b0:70a6:53::1;
+fd32:6b0:70a6:53::2;
+fd32:6b0:70a6:53::3;
+};

dns/resolv.conf

@@ -0,0 +1,5 @@
+# Resolver configuration file.
+# See resolv.conf(5) for details.
+
+nameserver 172.22.161.21
+nameserver fd32:6b0:70a6:53::53

dns/us1-named.conf.j2

@@ -0,0 +1,161 @@
+include "/etc/named.conf.d/rndc.conf";
+
+controls {
+    inet 127.0.0.1 port 953
+        allow { 127.0.0.1; } keys { "rndc-key"; };
+};
+
+// We can't reach IPv6 internet hosts, but *CAN* reach some IPv6 non-internet hosts.
+server 2000::/3 {
+    bogus yes;
+};
+
+zone "9pfs.dn42" IN {
+    type primary;
+    file "9pfs.dn42.zone";
+{% include 'notify-list.j2' %}
+    dnssec-policy default;
+    inline-signing yes;
+};
+
+zone "myip.dn42" IN {
+    type secondary;
+    file "myip.dn42.zone";
+    primaries { fd63:5d40:47e5::1111; };
+{% include 'notify-list.j2' %}
+    allow-notify { fd63:5d40:47e5::/64; };
+};
+zone "81/32.0.20.172.in-addr.arpa" IN {
+    type secondary;
+    file "myip-dn42-v4-rdns.zone";
+    primaries { fd63:5d40:47e5::1111; };
+{% include 'notify-list.j2' %}
+    allow-notify { fd63:5d40:47e5::/64; };
+};
+zone "1.8.0.0.2.4.d.0.2.4.d.0.2.4.d.f.ip6.arpa" IN {
+    type secondary;
+    file "myip-dn42-v6-rdns.zone";
+    primaries { fd63:5d40:47e5::1111; };
+{% include 'notify-list.j2' %}
+    allow-notify { fd63:5d40:47e5::/64; };
+};
+
+zone "6.a.0.7.0.b.6.0.2.3.d.f.ip6.arpa" IN {
+    type primary;
+    file "9pfs-personal-primary-v6-rdns.zone";
+{% include 'notify-list.j2' %}
+    dnssec-policy default;
+    inline-signing yes;
+};
+
+zone "0/27.161.22.172.in-addr.arpa" IN {
+    type primary;
+    file "9pfs-personal-primary-v4-rdns.zone";
+{% include 'notify-list.j2' %}
+    dnssec-policy default;
+    inline-signing yes;
+};
+
+zone "catalog.9pfs.dn42" IN {
+    type primary;
+    file "catalog.9pfs.dn42.zone";
+{% include 'notify-list.j2' %}
+    dnssec-policy default;
+    inline-signing yes;
+};
+
+zone "." IN {
+    type hint;
+    file "named.root";
+};
+
+zone "dn42" IN {
+	type secondary;
+
+	primaries {
+		fd42:180:3de0:30::1;
+#		fd42:180:3de0:10:5054:ff:fe87:ea39;	
+	};
+};
+
+zone "20.172.in-addr.arpa" {
+	type secondary;
+	file "20.172.in-addr.arpa.zone";
+	primaries {
+		fd42:180:3de0:30::1;
+#		fd42:180:3de0:10:5054:ff:fe87:ea39;	
+	};
+};
+
+zone "21.172.in-addr.arpa" {
+	type secondary;
+	file "21.172.in-addr.arpa.zone";
+	primaries {
+		fd42:180:3de0:30::1;
+#		fd42:180:3de0:10:5054:ff:fe87:ea39;	
+	};
+};
+
+zone "22.172.in-addr.arpa" {
+	type secondary;
+	file "22.172.in-addr.arpa.zone";
+	primaries {
+		fd42:180:3de0:30::1;
+#		fd42:180:3de0:10:5054:ff:fe87:ea39;	
+	};
+};
+
+zone "23.172.in-addr.arpa" {
+	type secondary;
+	file "23.172.in-addr.arpa.zone";
+	primaries {
+		fd42:180:3de0:30::1;
+#		fd42:180:3de0:10:5054:ff:fe87:ea39;	
+	};
+};
+
+zone "d.f.ip6.arpa" {
+	type secondary;
+	file "d.f.ip6.arpa.zone";
+	primaries {
+		fd42:180:3de0:30::1;
+#		fd42:180:3de0:10:5054:ff:fe87:ea39;	
+	};
+};
+
+
+zone "lan" {
+	type forward;
+	forwarders {
+		10.3.0.2;
+	};
+};
+
+zone "ts.net" {
+	type forward;
+	forwarders {
+		100.100.100.100;
+	};
+};
+
+zone "3.10.in-addr.arpa" {
+	type forward;
+	forwarders {
+		10.3.0.2;
+	};
+};
+
+zone "localhost" IN {
+    type primary;
+    file "localhost.zone";
+};
+
+zone "0.0.127.in-addr.arpa" IN {
+    type primary;
+    file "127.0.0.zone";
+};
+
+zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
+    type primary;
+    file "localhost.ip6.zone";
+};

ext-peer.network.j2

@@ -12,6 +12,7 @@ IPv4ReversePathFilter=no
 Description=DN42 peering with AS{{ item.asn }}{% if item.wireguard|default(true) %} @ {% if item.remotehost is defined %}{{ item.remotehost }}[{{ item.remoteip }}]:{{ item.remoteport }}{% else %}[{{ item.remoteip }}]:{{ item.remoteport }}{% endif %} {% endif %}
 
 LinkLocalAddressing=false
+IPv4AcceptLocal=true
 
 [Address]
 {% if item['llv6'] is defined %}

inventory.yml

@@ -12,9 +12,11 @@ routers:
       machine_type: vm
       pop_loc: us1
       solanum_sid: '9R1'
+      ansible_host: fd32:6b0:70a6:179::1
     us2.routers.9pfs.dn42:
       ansible_python_interpreter: "/usr/bin/python3"
       machine_type: container
+      ansible_host: fd32:6b0:70a6:179::2
       unicastv4: 172.22.161.2
       unicastv6: fd32:6b0:70a6:179::2
       llv6: fe80::2002:2
@@ -28,6 +30,7 @@ routers:
       llv6: fe80::2002:4
       pop_loc: us3
       solanum_sid: '9R4'
+      ansible_host: fd32:6b0:70a6:179::4
     uk1.routers.9pfs.dn42:
       ansible_python_interpreter: "/usr/bin/python3"
       machine_type: container
@@ -36,6 +39,7 @@ routers:
       llv6: fe80::2002:3
       pop_loc: uk1
       solanum_sid: '9R3'
+      ansible_host: fd32:6b0:70a6:179::3
     kix.routers.9pfs.dn42:
       ansible_python_interpreter: "/usr/bin/python3"
       machine_type: container
@@ -45,6 +49,7 @@ routers:
       pop_loc: kix
       solanum_sid: '9R5'
       shared_net: true
+      ansible_host: fd32:6b0:70a6:179::5
     genesis.routers.9pfs.dn42:
       ansible_python_interpreter: "/usr/bin/python3"
       machine_type: container
@@ -54,6 +59,7 @@ routers:
       pop_loc: genesis
       solanum_sid: '9R6'
       ibgp_passive: true
+      ansible_host: fd32:6b0:70a6:179::6
     fr1.routers.9pfs.dn42:
       machine_type: vm
       unicastv4: 172.22.161.7
@@ -61,8 +67,8 @@ routers:
       llv6: fe80::2002:7
       pop_loc: fr1
       solanum_sid: '9R7'
-      ansible_host: 84.235.232.147
       ansible_python_interpreter: "/usr/bin/python3"
+      ansible_host: fd32:6b0:70a6:179::7
     ca1.routers.9pfs.dn42:
       machine_type: vm
       unicastv4: 172.22.161.8
@@ -72,6 +78,7 @@ routers:
       solanum_sid: '9R8'
       ansible_python_interpreter: "/usr/bin/python3"
       shared_net: true
+      ansible_host: fd32:6b0:70a6:179::8
 services:
   hosts:
     mail.9pfs.dn42:

lg.yml

@@ -3,7 +3,7 @@
   remote_user: root
   tasks:
     - name: Build looking glass destinations list
-      ansible.builtin.shell: echo {% for host in ansible_play_hosts %}{{ hostvars[host]['unicastv6'] }},{% endfor %}|sed 's/,$//'
+      ansible.builtin.shell: echo {% for host in ansible_play_hosts %}{{ hostvars[host].inventory_hostname }},{% endfor %}|sed 's/,$//'
       register: lg_dests
       run_once: true
       delegate_to: 127.0.0.1

ztwfugvwdo.network.j2

@@ -10,6 +10,7 @@ LLDP=true
 EmitLLDP=customer-bridge
 LinkLocalAddressing=false
 IPv4ReversePathFilter=no
+IPv4AcceptLocal=true
 
 [Address]
 Address={{ llv6 }}/64