From 7b4ec01c3a054e35c16711b5313cf6704a7af3e5 Mon Sep 17 00:00:00 2001
From: Adrian Reyer <are@lihas.de>
Date: Fri, 16 May 2025 16:16:45 +0200
Subject: [PATCH 1/2] dns: different primaries per zone, but common secondaries
 and config for target setup

---
 dns.yml                                       |  7 ++
 group_vars/dns_secondary.yml                  | 65 ++++++++++++++-----
 .../dns_primary.yml                           | 53 ++++-----------
 host_vars/dns02.as208772.net/dns_primary.yml  | 32 +++++++++
 .../dns_primary.yml                           | 17 +++++
 roles/dns/templates/named.conf.secondary.j2   |  2 +
 6 files changed, 119 insertions(+), 57 deletions(-)
 create mode 100644 dns.yml
 rename host_vars/{dns01.freifunk-stuttgart.net => dns01.freifunk-stuttgart.de}/dns_primary.yml (55%)
 create mode 100644 host_vars/dns02.as208772.net/dns_primary.yml
 create mode 100644 host_vars/dns03.freifunk-stuttgart.eu/dns_primary.yml

diff --git a/dns.yml b/dns.yml
new file mode 100644
index 0000000..b6a9766
--- /dev/null
+++ b/dns.yml
@@ -0,0 +1,7 @@
+---
+- hosts: dns_secondary
+  roles:
+    - dns
+- hosts: dns01.freifunk-stuttgart.de,dns02.as208772.net,dns03.freifunk-stuttgart.eu
+  roles:
+    - dns
diff --git a/group_vars/dns_secondary.yml b/group_vars/dns_secondary.yml
index 445c828..acb2a24 100644
--- a/group_vars/dns_secondary.yml
+++ b/group_vars/dns_secondary.yml
@@ -1,40 +1,71 @@
 ---
-# NOTE: primary zones are configured in host_vars/dns01.freifunk-stuttgart.net/dns_primary.yml
+# NOTE: primary zones are configured in
+# NOTE:   host_vars/dns01.freifunk-stuttgart.de/dns_primary.yml
+# NOTE:   host_vars/dns02.as208772.net/dns_primary.yml
+# NOTE:   host_vars/dns03.freifunk-stuttgart.eu/dns_primary.yml
 
 # primary servers
 # the key in this dict is referred to by the primaries key in dns_secondary_zones.
 dns_primaries:
-  ffs:
+  ffs_dns01: # dns01.freifunk-stuttgart.de
     ips:
       - 2a0f:d607:e:1::211
       - 91.216.35.211
+    key: gw.freifunk-stuttgart.de
+  ffs_dns02: # dns02.as208772.net
+    ips:
+      - 2001:bf7:b201::14
+      - 77.87.49.14
+  ffs_dns03: # dns03.freifunk-stuttgart.eu
+    ips:
+      - 2a01:4f8:141:4083::201
+      - 78.46.42.84
 
 dns_secondary_zones:
   # 2001:67c:d78::/48
   8.7.d.0.c.7.6.0.1.0.0.2.ip6.arpa:
-    primary: ffs
+    primary: ffs_dns01
   # 2a0f:d607::/44
   0.0.0.7.0.6.d.f.0.a.2.ip6.arpa:
-    primary: ffs
+    primary: ffs_dns01
   35.216.91.in-addr.arpa:
-    primary: ffs
+    primary: ffs_dns01
   as208772.net:
-    primary: ffs
+    primary: ffs_dns02
   ffno.de:
-    primary: ffs
+    primary: ffs_dns01
   freifunk-beuren.de:
-    primary: ffs
+    primary: ffs_dns01
   freifunk-stuttgart.de:
-    primary: ffs
-  freifunk-stuttgart.eu:
-    primary: ffs
-  freifunk-stuttgart.net:
-    primary: ffs
+    primary: ffs_dns01
   gw.freifunk-stuttgart.de:
-    primary: ffs
+    primary: ffs_dns01
   segassign.freifunk-stuttgart.de:
-    primary: ffs
+    primary: ffs_dns01
   nodes.freifunk-stuttgart.de:
-    primary: ffs
+    primary: ffs_dns01
+  freifunk-stuttgart.net:
+    primary: ffs_dns02
+  gw.freifunk-stuttgart.net:
+    primary: ffs_dns02
+  segassign.freifunk-stuttgart.net:
+    primary: ffs_dns02
+  nodes.freifunk-stuttgart.net:
+    primary: ffs_dns02
+  freifunk-stuttgart.eu:
+    primary: ffs_dns03
+  gw.freifunk-stuttgart.eu:
+    primary: ffs_dns03
+  segassign.freifunk-stuttgart.eu:
+    primary: ffs_dns03
+  nodes.freifunk-stuttgart.eu:
+    primary: ffs_dns03
   stuttgart.freifunk.net:
-    primary: ffs
+    primary: ffs_dns02
+  gw.stuttgart.freifunk.net:
+    primary: ffs_dns02
+  segassign.stuttgart.freifunk.net:
+    primary: ffs_dns02
+  nodes.stuttgart.freifunk.net:
+    primary: ffs_dns02
+
diff --git a/host_vars/dns01.freifunk-stuttgart.net/dns_primary.yml b/host_vars/dns01.freifunk-stuttgart.de/dns_primary.yml
similarity index 55%
rename from host_vars/dns01.freifunk-stuttgart.net/dns_primary.yml
rename to host_vars/dns01.freifunk-stuttgart.de/dns_primary.yml
index 02e1506..77c5367 100644
--- a/host_vars/dns01.freifunk-stuttgart.net/dns_primary.yml
+++ b/host_vars/dns01.freifunk-stuttgart.de/dns_primary.yml
@@ -2,15 +2,6 @@
 # NOTE: secondary zones are configured in group_vars/dns_secondary.yml
 # NOTE: TSIG keyfiles are not managed by ansible and need to be placed manually to /etc/bind/named.conf.tsig
 dns_primary_zones:
-  freifunk-beuren.de:
-    tsig_keys:
-      - gw.freifunk-stuttgart.de
-  freifunk-stuttgart.eu:
-    tsig_keys:
-      - gw.freifunk-stuttgart.de
-  as208772.net:
-    tsig_keys:
-      - gw.freifunk-stuttgart.de
   # 2001:67c:d78::/48
   8.7.d.0.c.7.6.0.1.0.0.2.ip6.arpa:
     tsig_keys:
@@ -22,40 +13,22 @@ dns_primary_zones:
   35.216.91.in-addr.arpa:
     tsig_keys:
       - gw.freifunk-stuttgart.de
-  stuttgart.freifunk.net:
+  ffno.de:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  freifunk-beuren.de:
     tsig_keys:
       - gw.freifunk-stuttgart.de
-
-dns_primaries:
-  lihas:
-    ips:
-      - 2a0f:d600::15
-      - 45.150.152.15
-    key: gw.freifunk-stuttgart.de
-  ffs_hetzner:
-    ips:
-      - 2a01:4f8:141:4083::201
-    key: gw.freifunk-stuttgart.de
-  nrb:
-    ips:
-      - 217.160.211.246
-      - 2a02:247a:23d:a800:1::1
-
-dns_secondary_zones:
-  ffno.de:
-    primary: nrb
   freifunk-stuttgart.de:
-    primary: lihas
-    allow_update_forwarding: true
-  freifunk-stuttgart.net:
-    primary: lihas
-    allow_update_forwarding: true
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
   gw.freifunk-stuttgart.de:
-    primary: lihas
-    allow_update_forwarding: true
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
   segassign.freifunk-stuttgart.de:
-    primary: lihas
-    allow_update_forwarding: true
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
   nodes.freifunk-stuttgart.de:
-    primary: lihas
-    allow_update_forwarding: true
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+
diff --git a/host_vars/dns02.as208772.net/dns_primary.yml b/host_vars/dns02.as208772.net/dns_primary.yml
new file mode 100644
index 0000000..c4a8993
--- /dev/null
+++ b/host_vars/dns02.as208772.net/dns_primary.yml
@@ -0,0 +1,32 @@
+---
+# NOTE: secondary zones are configured in group_vars/dns_secondary.yml
+# NOTE: TSIG keyfiles are not managed by ansible and need to be placed manually to /etc/bind/named.conf.tsig
+dns_primary_zones:
+  as208772.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  freifunk-stuttgart.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  gw.freifunk-stuttgart.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  segassign.freifunk-stuttgart.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  nodes.freifunk-stuttgart.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  stuttgart.freifunk.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  gw.stuttgart.freifunk.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  segassign.stuttgart.freifunk.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  nodes.stuttgart.freifunk.net:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+
diff --git a/host_vars/dns03.freifunk-stuttgart.eu/dns_primary.yml b/host_vars/dns03.freifunk-stuttgart.eu/dns_primary.yml
new file mode 100644
index 0000000..aca1fe8
--- /dev/null
+++ b/host_vars/dns03.freifunk-stuttgart.eu/dns_primary.yml
@@ -0,0 +1,17 @@
+---
+# NOTE: secondary zones are configured in group_vars/dns_secondary.yml
+# NOTE: TSIG keyfiles are not managed by ansible and need to be placed manually to /etc/bind/named.conf.tsig
+dns_primary_zones:
+  freifunk-stuttgart.eu:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  gw.freifunk-stuttgart.eu:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  segassign.freifunk-stuttgart.eu:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  nodes.freifunk-stuttgart.eu:
+    tsig_keys:
+      - gw.freifunk-stuttgart.de
+  
diff --git a/roles/dns/templates/named.conf.secondary.j2 b/roles/dns/templates/named.conf.secondary.j2
index dbf274c..3e61496 100644
--- a/roles/dns/templates/named.conf.secondary.j2
+++ b/roles/dns/templates/named.conf.secondary.j2
@@ -11,6 +11,7 @@ primaries {{ primary_name }} {
 {% endfor %}
 
 {% for zonename, zone in dns_secondary_zones.items() %}
+{%   if zonename not in dns_primary_zones.keys() %}
 zone "{{ zonename }}" {
 	type secondary;
 	file "{{ dns_secondary_zonefile_dir }}/{{ zonename }}";
@@ -21,4 +22,5 @@ zone "{{ zonename }}" {
 	allow-update-forwarding { any; };
 	{% endif %}
 };
+{%   endif %}
 {% endfor %}
-- 
GitLab


From a67c4f08c03ee5b8ed99c971c9fd8ad581618581 Mon Sep 17 00:00:00 2001
From: Adrian Reyer <are@lihas.de>
Date: Fri, 16 May 2025 16:46:39 +0200
Subject: [PATCH 2/2] fix: add dns01 to group dns_secondaries

---
 dns.yml                 | 3 ---
 inventory/dns_secondary | 9 +++++++++
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 inventory/dns_secondary

diff --git a/dns.yml b/dns.yml
index b6a9766..306708c 100644
--- a/dns.yml
+++ b/dns.yml
@@ -2,6 +2,3 @@
 - hosts: dns_secondary
   roles:
     - dns
-- hosts: dns01.freifunk-stuttgart.de,dns02.as208772.net,dns03.freifunk-stuttgart.eu
-  roles:
-    - dns
diff --git a/inventory/dns_secondary b/inventory/dns_secondary
new file mode 100644
index 0000000..b759c31
--- /dev/null
+++ b/inventory/dns_secondary
@@ -0,0 +1,9 @@
+---
+dns_secondary:
+  hosts:
+    dns01.vm.freifunk-stuttgart.de:
+      ansible_ssh_user: root
+    dns02.vm.freifunk-stuttgart.net:
+      ansible_ssh_user: root
+    dns03.vm.freifunk-stuttgart.eu:
+      ansible_ssh_user: root
-- 
GitLab