Add TSIG keys (#181)

* proxmox tsig * cleanup * prox * clean * assign acl * fix * clean * unroll
nycmeshnet · Jan 26, 2025 · ae30fff · ae30fff
1 parent bd79d98
commit ae30fff
Show file tree

Hide file tree

Showing 8 changed files with 113 additions and 0 deletions.
diff --git a/.github/workflows/deploy_dns_environment.yaml b/.github/workflows/deploy_dns_environment.yaml
@@ -18,6 +18,10 @@ env:
   TF_VAR_influx_db_token: ${{ secrets.TF_VAR_INFLUX_DB_TOKEN }}
   TF_VAR_datadog_api_key: ${{ secrets.TF_VAR_DATADOG_API_KEY }}
   TF_VAR_dns_cookie_secret: "${{ secrets.TF_VAR_DNS_COOKIE_SECRET }}"
+  TF_VAR_tsig_key_grandmox: "${{ secrets.TF_VAR_TSIG_KEY_GRANDMOX }}"
+  TF_VAR_tsig_key_jon: "${{ secrets.TF_VAR_TSIG_KEY_JON }}"
+  TF_VAR_tsig_key_10_r630_01: "${{ secrets.TF_VAR_TSIG_KEY_10_R630_01 }}"
+  TF_VAR_tsig_key_713_r640_01: "${{ secrets.TF_VAR_TSIG_KEY_713_R640_01 }}"
   TF_VAR_tsig_key_doh: "${{ secrets.TF_VAR_TSIG_KEY_DOH }}"
   # Credentials for deployment to AWS
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

diff --git a/infra/ansible/roles/knot_authoritative/templates/knot.conf.j2 b/infra/ansible/roles/knot_authoritative/templates/knot.conf.j2
@@ -26,11 +26,47 @@ template:
     storage: /var/lib/knot/zones
 
 key:
+  - id: grandmox.prox.mesh.nycmesh.net.
+    algorithm: hmac-sha512
+    secret: {{ TSIG_KEY_GRANDMOX }}
+  - id: jon.prox.mesh.nycmesh.net.
+    algorithm: hmac-sha512
+    secret: {{ TSIG_KEY_JON }}
+  - id: nycmesh-10-r630-01.prox.mesh.nycmesh.net.
+    algorithm: hmac-sha512
+    secret: {{ TSIG_KEY_10_R630_01 }}
+  - id: nycmesh-713-r640-01.prox.mesh.nycmesh.net.
+    algorithm: hmac-sha512
+    secret: {{ TSIG_KEY_713_R640_01 }}
   - id: doh.mesh.nycmesh.net.
     algorithm: hmac-sha512
     secret: {{ TSIG_KEY_DOH }}
 
 acl:
+  - id: acl-update-grandmox
+    action: update
+    update-type: [TXT]
+    update-owner-match: equal
+    update-owner-name: acme-challenge.grandmox.prox.mesh.nycmesh.net.
+    key: grandmox.prox.mesh.nycmesh.net.
+  - id: acl-update-jon
+    action: update
+    update-type: [TXT]
+    update-owner-match: equal
+    update-owner-name: acme-challenge.jon.prox.mesh.nycmesh.net.
+    key: jon.prox.mesh.nycmesh.net.
+  - id: acl-update-nycmesh-10-r630-01
+    action: update
+    update-type: [TXT]
+    update-owner-match: equal
+    update-owner-name: acme-challenge.nycmesh-10-r630-01.prox.mesh.nycmesh.net.
+    key: nycmesh-10-r630-01.prox.mesh.nycmesh.net.
+  - id: acl-update-nycmesh-713-r640-01
+    action: update
+    update-type: [TXT]
+    update-owner-match: equal
+    update-owner-name: acme-challenge.nycmesh-713-r640-01.prox.mesh.nycmesh.net.
+    key: nycmesh-713-r640-01.prox.mesh.nycmesh.net.
   - id: acl-update-doh
     action: update
     update-type: [TXT]
@@ -45,6 +81,9 @@ zone:
   - domain: doh.mesh.nycmesh.net
     file: doh.mesh.nycmesh.net.zone
     acl: acl-update-doh
+  - domain: prox.mesh.nycmesh.net
+    file: prox.mesh.nycmesh.net
+    acl: [acl-update-grandmox, acl-update-jon, acl-update-nycmesh-10-r630-01, acl-update-nycmesh-713-r640-01]
   - domain: nycmeshconnect.com
     file: nycmeshconnect.com.zone
   - domain: nycmeshconnect.net

diff --git a/infra/terraform/dns.tf b/infra/terraform/dns.tf
@@ -28,6 +28,10 @@ module "some_mesh_dns_servers" {
   datadog_api_key                 = var.datadog_api_key
   datadog_site                    = var.datadog_site
   dns_cookie_secret               = var.dns_cookie_secret
+  tsig_key_grandmox               = var.tsig_key_grandmox
+  tsig_key_jon                    = var.tsig_key_jon
+  tsig_key_10_r630_01             = var.tsig_key_10_r630_01
+  tsig_key_713_r640_01            = var.tsig_key_713_r640_01
   tsig_key_doh                    = var.tsig_key_doh
   enable_doh                      = var.enable_doh
   main_auth_server_ip             = var.main_auth_server_ip

diff --git a/infra/terraform/mesh_dns_servers/ansible.tf b/infra/terraform/mesh_dns_servers/ansible.tf
@@ -23,6 +23,10 @@ resource "ansible_group" "knot-authoritative" {
     telegraf_kresd               = ""
     DOH_SERVER                   = ""
     DNS_COOKIE_SECRET            = var.dns_cookie_secret
+    TSIG_KEY_GRANDMOX            = var.tsig_key_grandmox
+    TSIG_KEY_JON                 = var.tsig_key_jon
+    TSIG_KEY_10_R630_01          = var.tsig_key_10_r630_01
+    TSIG_KEY_713_R640_01         = var.tsig_key_713_r640_01
     TSIG_KEY_DOH                 = var.tsig_key_doh
   }
 }

diff --git a/infra/terraform/mesh_dns_servers/vars.tf b/infra/terraform/mesh_dns_servers/vars.tf
@@ -170,6 +170,30 @@ variable "dns_cookie_secret" {
   sensitive   = true
 }
 
+variable "tsig_key_grandmox" {
+  type        = string
+  description = "TSIG key for the grandmox.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
+variable "tsig_key_jon" {
+  type        = string
+  description = "TSIG key for the jon.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
+variable "tsig_key_10_r630_01" {
+  type        = string
+  description = "TSIG key for the nycmesh-10-r630-01.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
+variable "tsig_key_713_r640_01" {
+  type        = string
+  description = "TSIG key for the nycmesh-713-r640-01.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
 variable "tsig_key_doh" {
   type        = string
   description = "TSIG key for the doh.mesh.nycmesh.net zone"

diff --git a/infra/terraform/vars.tf b/infra/terraform/vars.tf
@@ -169,6 +169,30 @@ variable "dns_cookie_secret" {
   sensitive   = true
 }
 
+variable "tsig_key_grandmox" {
+  type        = string
+  description = "TSIG key for the grandmox.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
+variable "tsig_key_jon" {
+  type        = string
+  description = "TSIG key for the jon.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
+variable "tsig_key_10_r630_01" {
+  type        = string
+  description = "TSIG key for the nycmesh-10-r630-01.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
+variable "tsig_key_713_r640_01" {
+  type        = string
+  description = "TSIG key for the nycmesh-713-r640-01.mesh.nycmesh.net zone"
+  sensitive   = true
+}
+
 variable "tsig_key_doh" {
   type        = string
   description = "TSIG key for the doh.mesh.nycmesh.net zone"

diff --git a/mesh.zone b/mesh.zone
@@ -83,6 +83,9 @@ jmstemp A 199.170.132.45
 ; doh
 doh NS nycmesh-713-dns-auth-3
 
+; Proxmox
+prox NS nycmesh-713-dns-auth-3
+
 ; David K
 emergency-dev A 10.70.90.161
 

diff --git a/prox.mesh.nycmesh.net b/prox.mesh.nycmesh.net
@@ -0,0 +1,11 @@
+$TTL 3600
+@  SOA   ( nycmesh-713-dns-auth-3 hostmaster.nycmesh.net. 2024120100 1d 2h 4w 1h )
+@  NS    nycmesh-713-dns-auth-3
+
+; Authoritative DNS servers
+nycmesh-713-dns-auth-3 A 199.170.132.47
+
+grandmox A 10.70.188.196
+jon A 10.70.90.52
+nycmesh-10-r630-01 A 10.70.103.186
+nycmesh-713-r640-01 A 10.70.90.195