From 4623025334b44dcd1dfa97522e313851f8a19c4b Mon Sep 17 00:00:00 2001 From: Wolfgang Hottgenroth Date: Fri, 24 Oct 2025 20:03:09 +0200 Subject: [PATCH] initial --- .woodpecker.yml | 29 ++++++++ deployment/deploy-yml.tmpl | 113 ++++++++++++++++++++++++++++++++ deployment/deploy.sh | 26 ++++++++ knot.conf | 120 ++++++++++++++++++++++++++++++++++ my-dnssec-test-domain.de.zone | 19 ++++++ 5 files changed, 307 insertions(+) create mode 100644 .woodpecker.yml create mode 100644 deployment/deploy-yml.tmpl create mode 100755 deployment/deploy.sh create mode 100644 knot.conf create mode 100644 my-dnssec-test-domain.de.zone diff --git a/.woodpecker.yml b/.woodpecker.yml new file mode 100644 index 0000000..3b8270a --- /dev/null +++ b/.woodpecker.yml @@ -0,0 +1,29 @@ +steps: + build: + image: plugins/kaniko + settings: + repo: ${FORGE_NAME}/${CI_REPO} + registry: + from_secret: container_registry + tags: latest,${CI_COMMIT_SHA} + username: + from_secret: container_registry_username + password: + from_secret: container_registry_password + + dockerfile: Dockerfile + when: + - event: [tag] + + deploy: + image: portainer/kubectl-shell:latest + environment: + KUBE_CONFIG_CONTENT: + from_secret: kube_config + commands: + - export IMAGE_TAG=$CI_COMMIT_SHA + - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig + - export KUBECONFIG=/tmp/kubeconfig + - ./deployment/deploy.sh + when: + - event: [tag] diff --git a/deployment/deploy-yml.tmpl b/deployment/deploy-yml.tmpl new file mode 100644 index 0000000..3b25c3a --- /dev/null +++ b/deployment/deploy-yml.tmpl @@ -0,0 +1,113 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: knot-dns-hidden-primary +spec: + replicas: 1 + selector: + matchLabels: + app: knot-dns-hidden-primary + template: + metadata: + labels: + app: knot-dns-hidden-primary + spec: + containers: + - name: knot-dns + image: %IMAGE% + ports: + - name: dns-tcp + containerPort: 8053 + protocol: TCP + - name: dns-udp + containerPort: 8053 + protocol: UDP + env: + - name: KNOT_USER + value: "knot" + volumeMounts: + - name: knot-config + mountPath: /etc/knot + - name: knot-data + mountPath: /var/lib/knot + - name: knot-zones + mountPath: /var/lib/knot/zones + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + livenessProbe: + tcpSocket: + port: 8053 + initialDelaySeconds: 30 + periodSeconds: 10 + readinessProbe: + tcpSocket: + port: 8053 + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: knot-config + persistentVolumeClaim: + claimName: knot-dns-config + - name: knot-data + persistentVolumeClaim: + claimName: knot-dns-data + - name: knot-zones + persistentVolumeClaim: + claimName: knot-dns-zones +--- +apiVersion: v1 +kind: Service +metadata: + name: knot-dns-hidden-primary +spec: + type: LoadBalancer + selector: + app: knot-dns-hidden-primary + ports: + - name: dns-tcp + port: 53 + targetPort: 8053 + protocol: TCP + - name: dns-udp + port: 53 + targetPort: 8053 + protocol: UDP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: knot-dns-config +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Mi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: knot-dns-data +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: knot-dns-zones +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Mi + diff --git a/deployment/deploy.sh b/deployment/deploy.sh new file mode 100755 index 0000000..8a38fa9 --- /dev/null +++ b/deployment/deploy.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if [ "$IMAGE_TAG" == "" ]; then + echo "Make sure IMAGE_TAG is set" + exit 1 +fi + + +IMAGE_NAME=gitea.hottis.de/deployments/knot-dns +NAMESPACE=knot-dns +DEPLOYMENT_DIR=$PWD/deployment + +pushd $DEPLOYMENT_DIR > /dev/null + +kubectl create namespace $NAMESPACE \ + --dry-run=client \ + -o yaml | \ + kubectl -f - apply + + +cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \ + sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \ + kubectl apply -f - -n $NAMESPACE + +popd > /dev/null + diff --git a/knot.conf b/knot.conf new file mode 100644 index 0000000..9d98baa --- /dev/null +++ b/knot.conf @@ -0,0 +1,120 @@ +# Knot DNS Configuration +# Hidden Primary DNS server configuration for my-dnssec-test-domain.de +# This server acts as a hidden primary - it's not listed in NS records +# but provides zone transfers to the public secondary nameservers + +server: + # Server identification + identity: "Hottis DNS Server" + version: "" + + # Listen on all interfaces + listen: [ "0.0.0.0@8053", "::@8053" ] + + # Disable recursion (authoritative only) + answer-rotation: on + semantic-checks: on + + # Security settings + max-udp-payload: 4096 + max-tcp-clients: 100 + max-zone-size: 500M + + # Logging + log: + - target: syslog + any: info + +# Database configuration +database: + storage: "/var/lib/knot" + journal-content: changes + journal-max-usage: 100M + journal-max-depth: 20 + +# Key management for DNSSEC +keystore: + - id: default + backend: pem + config: "/var/lib/knot/keys" + +# DNSSEC policy +policy: + - id: default_policy + algorithm: ECDSAP256SHA256 + ksk-lifetime: 365d + zsk-lifetime: 90d + propagation-delay: 3600 + dnskey-ttl: 3600 + zone-max-ttl: 86400 + ksk-submission: parent_ds + cds-cdnskey-publish: rollover + cds-cdnskey-publish: always + +# Remote server configuration (for zone transfers, notifications) +remote: + - id: dns1_nsdns + address: 109.234.111.215@53 + + - id: dns2_nsdns + address: 109.234.111.216@53 + +# Access Control Lists +acl: + - id: transfer_acl + address: [ "127.0.0.1", "109.234.111.215", "109.234.111.216" ] + action: transfer + + - id: notify_acl + address: [ "127.0.0.1", "109.234.111.215", "109.234.111.216" ] + action: notify + +# Zone template +template: + - id: default_template + storage: "/var/lib/knot" + file: "%s.zone" + + # DNSSEC configuration + dnssec-signing: on + dnssec-policy: default_policy + + # Zone transfer settings (Hidden Primary) + notify: [ dns1_nsdns, dns2_nsdns ] + acl: [ transfer_acl, notify_acl ] + + # Serial policy + serial-policy: dateserial + + # Zone journal + journal-content: changes + journal-max-usage: 10M + + # Hidden primary: don't answer queries from public + # Only serve AXFR/IXFR to secondaries + master: on + +# Zone configuration +zone: + - domain: my-dnssec-test-domain.de + template: default_template + file: "/var/lib/knot/my-dnssec-test-domain.de.zone" + +# Control interface +control: + listen: "/var/run/knot/knot.sock" + timeout: 60 + +# Statistics +stats: + timer: 3600 + +# Logging configuration +log: + - target: stderr + any: info + zone: warning + server: info + + - target: syslog + any: info \ No newline at end of file diff --git a/my-dnssec-test-domain.de.zone b/my-dnssec-test-domain.de.zone new file mode 100644 index 0000000..06c31f0 --- /dev/null +++ b/my-dnssec-test-domain.de.zone @@ -0,0 +1,19 @@ +$ORIGIN my-dnssec-test-domain.de. +$TTL 3600 + +; SOA Record (Start of Authority) +@ IN SOA dns1.nsdns.info. admin.my-dnssec-test-domain.de. ( + 2025102401 ; Serial (YYYYMMDDNN) + 7200 ; Refresh (2 hours) + 3600 ; Retry (1 hour) + 604800 ; Expire (1 week) + 86400 ; Minimum TTL (1 day) +) + +; Name Server Records +@ IN NS dns1.nsdns.info. +@ IN NS dns2.nsdns.info. +@ IN NS dns3.nsdns.info. + +; MX Records (Mail Exchange) +@ IN MX 10 home.of.the.smiling-proxy.de. \ No newline at end of file