From 2642cc3047ae1a2f5cc00688f3752dd5db3896a6 Mon Sep 17 00:00:00 2001 From: james-otten Date: Mon, 27 Jan 2025 23:46:14 -0500 Subject: [PATCH 01/10] rules --- .../knot_recursive/templates/kresd.conf.j2 | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 index ad35231..dada30e 100644 --- a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 +++ b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 @@ -36,6 +36,31 @@ nsid.name('{{ SERVER_HOSTNAME }}') net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem") {% endif %} +-- Subdomains delegated outside of "this" server from within the mesh +view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.me.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) + -- Mesh from mesh view:addr('10.0.0.0/8', policy.suffix(policy.STUB('{{ MESH_STUB_RESOLVER }}'), policy.todnames({'mesh.', 'mesh.nycmesh.net.'}))) view:addr('23.158.16.0/24', policy.suffix(policy.STUB('{{ MESH_STUB_RESOLVER }}'), policy.todnames({'mesh.', 'mesh.nycmesh.net.'}))) From 9315145b7a3cf126aa198e737c33d2c8cdb3904a Mon Sep 17 00:00:00 2001 From: james-otten Date: Tue, 28 Jan 2025 00:17:59 -0500 Subject: [PATCH 02/10] rules --- .../knot_recursive/templates/kresd.conf.j2 | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 index dada30e..9a443fe 100644 --- a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 +++ b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 @@ -37,29 +37,29 @@ net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem {% endif %} -- Subdomains delegated outside of "this" server from within the mesh -view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.me.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) - -view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) - -view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) - -view:addr('10.0.0.0/8', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.FORWARD('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -- Mesh from mesh view:addr('10.0.0.0/8', policy.suffix(policy.STUB('{{ MESH_STUB_RESOLVER }}'), policy.todnames({'mesh.', 'mesh.nycmesh.net.'}))) From 83ddef7613839a23cd19c0e2b6cb1ea24417de2a Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 02:11:14 -0500 Subject: [PATCH 03/10] rules --- .../knot_recursive/templates/kresd.conf.j2 | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 index 9a443fe..a0260b4 100644 --- a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 +++ b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 @@ -37,29 +37,29 @@ net.tls("/etc/knot-resolver/server-cert.pem", "/etc/knot-resolver/server-key.pem {% endif %} -- Subdomains delegated outside of "this" server from within the mesh -view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'.em.mesh.', '.em.mesh.nycmesh.net.'}))) - -view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'.zrg.mesh.', '.zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) - -view:addr('10.0.0.0/8', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'.daniel.mesh.', '.daniel.mesh.nycmesh.net.'}))) - -view:addr('10.0.0.0/8', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'.andrew.mesh.', '.andrew.mesh.nycmesh.net.'}))) +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'}))) + +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('54.161.165.190'), policy.todnames({'andrew.mesh.', 'andrew.mesh.nycmesh.net.'}))) -- Mesh from mesh view:addr('10.0.0.0/8', policy.suffix(policy.STUB('{{ MESH_STUB_RESOLVER }}'), policy.todnames({'mesh.', 'mesh.nycmesh.net.'}))) From 49f04ef29d61ae68a5eb8052b58ea90897f60f9c Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 02:17:42 -0500 Subject: [PATCH 04/10] rules --- .../roles/knot_recursive/templates/kresd.conf.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 index a0260b4..9c46fbc 100644 --- a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 +++ b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 @@ -43,11 +43,11 @@ view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.t view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'}))) view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.90.174'), policy.todnames({'em.mesh.', 'em.mesh.nycmesh.net.'}))) -view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) -view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', '.n363.mesh.', '.n363.mesh.nycmesh.net.'}))) +view:addr('10.0.0.0/8', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'}))) +view:addr('23.158.16.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'}))) +view:addr('199.167.59.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'}))) +view:addr('199.170.132.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'}))) +view:addr('208.68.5.0/24', policy.suffix(policy.STUB('10.70.132.1'), policy.todnames({'zrg.mesh.', 'zrg.mesh.nycmesh.net.', 'n363.mesh.', 'n363.mesh.nycmesh.net.'}))) view:addr('10.0.0.0/8', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'}))) view:addr('23.158.16.0/24', policy.suffix(policy.STUB('199.170.132.101'), policy.todnames({'daniel.mesh.', 'daniel.mesh.nycmesh.net.'}))) From bbae47bb3ce36b37238a33c209ff31e934bd5615 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 21:20:59 -0500 Subject: [PATCH 05/10] remove outgoing ip for now --- infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 index 9c46fbc..43e15ca 100644 --- a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 +++ b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 @@ -16,7 +16,8 @@ net.listen('{{ EXTERNAL_LISTEN_IP }}', 443, { kind = 'doh2' }) {% if EXTERNAL_OUTGOING_IP != "" %} -- EXTERNAL_OUTGOING_IP -net.outgoing_v4('{{ EXTERNAL_OUTGOING_IP }}') +-- Not until things are sorted out with the delegated subdomains, but keep the IPs +--net.outgoing_v4('{{ EXTERNAL_OUTGOING_IP }}') {% endif %} -- Load useful modules From 2bf2b97402cfaafa01af1d5f8662a6b3b4b12f06 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 21:21:20 -0500 Subject: [PATCH 06/10] no ipv6 --- infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 index 43e15ca..780196f 100644 --- a/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 +++ b/infra/ansible/roles/knot_recursive/templates/kresd.conf.j2 @@ -14,6 +14,9 @@ net.listen('{{ EXTERNAL_LISTEN_IP }}', 53, { kind = 'dns' }) net.listen('{{ EXTERNAL_LISTEN_IP }}', 443, { kind = 'doh2' }) {% endif %} +-- No ipv6 +net.ipv6 = false + {% if EXTERNAL_OUTGOING_IP != "" %} -- EXTERNAL_OUTGOING_IP -- Not until things are sorted out with the delegated subdomains, but keep the IPs From e38d7eeecfbe17d85de29c503f888b90a1dca42d Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 21:38:48 -0500 Subject: [PATCH 07/10] deploy --- .github/workflows/deploy.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 8f669b0..5a0cf86 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -4,6 +4,7 @@ on: push: branches: - master + - james/delegation paths: - infra/** workflow_dispatch: @@ -17,7 +18,7 @@ jobs: with: environment: dev_jon secrets: inherit - if: github.ref == 'refs/heads/master' && github.event_name == 'push' + #if: github.ref == 'refs/heads/master' && github.event_name == 'push' deploy_sn10_prod: name: Deploy to sn10 prod From 44d89531ee7e2eeb79b104e4204fbf69c8bb773a Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 21:40:20 -0500 Subject: [PATCH 08/10] deploy --- .github/workflows/deploy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 5a0cf86..225bc1c 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -5,8 +5,8 @@ on: branches: - master - james/delegation - paths: - - infra/** + # paths: + # - infra/** workflow_dispatch: permissions: read-all From d054b976bfa1bb2c229edde08bad3e689316c134 Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 22:02:00 -0500 Subject: [PATCH 09/10] auth stub --- infra/terraform/dev_jon.tfvars | 2 +- infra/terraform/prod_sn10.tfvars | 2 +- infra/terraform/prod_sn3.tfvars | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/infra/terraform/dev_jon.tfvars b/infra/terraform/dev_jon.tfvars index 6a281d6..ed2fd6c 100644 --- a/infra/terraform/dev_jon.tfvars +++ b/infra/terraform/dev_jon.tfvars @@ -35,4 +35,4 @@ recursive_cores = 4 recursive_sockets = 1 recursive_memory = 4096 enable_doh = "" -#mesh_stub_resolver = "23.158.16.23" +mesh_stub_resolver = "23.158.16.23" diff --git a/infra/terraform/prod_sn10.tfvars b/infra/terraform/prod_sn10.tfvars index 2f949df..72a8d3a 100644 --- a/infra/terraform/prod_sn10.tfvars +++ b/infra/terraform/prod_sn10.tfvars @@ -45,4 +45,4 @@ recursive_cores = 5 recursive_sockets = 1 recursive_memory = 4096 enable_doh = "enable" -#mesh_stub_resolver = "199.170.132.47" +mesh_stub_resolver = "199.170.132.47" diff --git a/infra/terraform/prod_sn3.tfvars b/infra/terraform/prod_sn3.tfvars index 954427f..7e4e048 100644 --- a/infra/terraform/prod_sn3.tfvars +++ b/infra/terraform/prod_sn3.tfvars @@ -45,4 +45,4 @@ recursive_cores = 5 recursive_sockets = 1 recursive_memory = 4096 enable_doh = "enable" -#mesh_stub_resolver = "23.158.16.23" +mesh_stub_resolver = "23.158.16.23" From 3e32ab818ef667a1f3209013b7b43fbcd075a06a Mon Sep 17 00:00:00 2001 From: james-otten Date: Wed, 29 Jan 2025 22:15:28 -0500 Subject: [PATCH 10/10] clean --- .github/workflows/deploy.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 225bc1c..8f669b0 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -4,9 +4,8 @@ on: push: branches: - master - - james/delegation - # paths: - # - infra/** + paths: + - infra/** workflow_dispatch: permissions: read-all @@ -18,7 +17,7 @@ jobs: with: environment: dev_jon secrets: inherit - #if: github.ref == 'refs/heads/master' && github.event_name == 'push' + if: github.ref == 'refs/heads/master' && github.event_name == 'push' deploy_sn10_prod: name: Deploy to sn10 prod