From 72e3718bf539e7c94714efd802c837f4b9326b57 Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Sat, 23 Jun 2018 02:04:35 +0200
Subject: [PATCH] bind, unbound: prepare dns in ctx

---
 salt-pillar/bind/dns.sls      | 18 +++++++++++++-----
 salt/bind/dyn-domain.zone     |  4 ++--
 salt/bind/init.sls            | 21 ++++++++++++++-------
 salt/bind/named.conf          |  9 ++++++---
 salt/bind/net-domain.zone     |  2 +-
 salt/bind/reverse.zone        | 22 ++++++++++++----------
 salt/bind/root-domain.zone    |  2 +-
 salt/unbound/listen.conf      |  1 +
 salt/unbound/local-zones.conf | 16 +++++++++++-----
 9 files changed, 61 insertions(+), 34 deletions(-)

diff --git a/salt-pillar/bind/dns.sls b/salt-pillar/bind/dns.sls
index 5424104..5f03b74 100644
--- a/salt-pillar/bind/dns.sls
+++ b/salt-pillar/bind/dns.sls
@@ -1,6 +1,10 @@
 bind:
-  root-domain: zentralwerk.org
-  master-ns: dns.serv.zentralwerk.org
+  root-domain:
+    dn42: zentralwerk.dn42
+    up1: zentralwerk.org
+  master-ns:
+    dn42: dns.serv.zentralwerk.dn42
+    up1: dns.serv.zentralwerk.org
   public-ns:
     - ns.c3d2.de
     - ns.spaceboyz.net
@@ -11,7 +15,7 @@ bind:
     # dns.spaceboyz.net
     - 172.22.24.4
     - 2a01:4f8:a0:33d0::4
-  serial: 2017031210
+  serial: 2018062300
   
   reverse-zones-inet:
     - 72.20.172.in-addr.arpa
@@ -24,5 +28,9 @@ bind:
     - 79.20.172.in-addr.arpa
   
   reverse-zones-inet6:
-    - 8.5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa
-    - c.5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa
+    dn42:
+      - 8.5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa
+      - c.5.0.2.d.3.c.2.4.0.0.3.2.d.f.ip6.arpa
+    up1:
+      - 8.2.5.8.0.2.0.6.0.1.8.2.0.a.2.ip6.arpa
+      - c.2.5.8.0.2.0.6.0.1.8.2.0.a.2.ip6.arpa
diff --git a/salt/bind/dyn-domain.zone b/salt/bind/dyn-domain.zone
index 1e43d2e..c67d7d3 100644
--- a/salt/bind/dyn-domain.zone
+++ b/salt/bind/dyn-domain.zone
@@ -1,8 +1,8 @@
 $ORIGIN {{ domain }}.
 $TTL 10M
 
-@		IN SOA	{{ pillar['bind']['master-ns'] }}. astro.spaceboyz.net. (
-				1  ; serial
+@		IN SOA	{{ pillar['bind']['master-ns']['up1'] }}. astro.spaceboyz.net. (
+				2  ; serial
 				1H ; refresh
 				1M ; retry
 				2H ; expire
diff --git a/salt/bind/init.sls b/salt/bind/init.sls
index 6d583b1..3736be1 100644
--- a/salt/bind/init.sls
+++ b/salt/bind/init.sls
@@ -16,17 +16,19 @@ bind9:
     - source: salt://bind/named.conf
     - template: 'jinja'
 
+{%- for ctx, root_domain in pillar['bind']['root-domain'].items() %}
 # zentralwerk.org
-/etc/bind/{{ pillar['bind']['root-domain'] }}.zone:
+/etc/bind/{{ root_domain }}.zone:
   file.managed:
     - source: salt://bind/root-domain.zone
     - template: 'jinja'
     - context:
-        domain: {{ pillar['bind']['root-domain'] }}
+        domain: {{ root_domain }}
+        ctx: {{ ctx }}
 
 # *.zentralwerk.org
-{%- for net, subnet4 in pillar['subnets-inet'].items() %}
-{%- set domain = net ~ '.' ~ pillar['bind']['root-domain'] %}
+{%-   for net, subnet4 in pillar['subnets-inet'].items() %}
+{%-     set domain = net ~ '.' ~ root_domain %}
 /etc/bind/{{ domain }}.zone:
   file.managed:
     - source: salt://bind/net-domain.zone
@@ -34,12 +36,13 @@ bind9:
     - context:
         domain: {{ domain }}
         net: {{ net }}
-        ctx: dn42
+        ctx: {{ ctx }}
 
+{%-   endfor %}
 {%- endfor %}
 
 # dyn.zentralwerk.org
-{%- set domain = 'dyn.' ~ pillar['bind']['root-domain'] %}
+{%- set domain = 'dyn.' ~ pillar['bind']['root-domain']['up1'] %}
 /etc/bind/{{ domain }}.zone:
   file.managed:
     - source: salt://bind/dyn-domain.zone
@@ -55,16 +58,20 @@ bind9:
     - template: 'jinja'
     - context:
         domain: {{ domain }}
+        ctx: {{ ctx }}
 {%- endfor %}
 
 # IPv6 reverse
-{%- for domain in pillar['bind']['reverse-zones-inet6'] %}
+{%- for ctx, domains in pillar['bind']['reverse-zones-inet6'].items() %}
+{%-   for domain in domains %}
 /etc/bind/{{ domain }}.zone:
   file.managed:
     - source: salt://bind/reverse.zone
     - template: 'jinja'
     - context:
         domain: {{ domain }}
+        ctx: {{ ctx }}
+{%-   endfor %}
 {%- endfor %}
 
 rndc reload:
diff --git a/salt/bind/named.conf b/salt/bind/named.conf
index 371fc1b..0f3ae11 100644
--- a/salt/bind/named.conf
+++ b/salt/bind/named.conf
@@ -16,12 +16,13 @@
 {%- endmacro %}
 
 # root domain
-{%- set domain = pillar['bind']['root-domain'] %}
+{%- for ctx, domain in pillar['bind']['root-domain'].items() %}
 zone "{{ domain }}" IN {
      type master;
      file "/etc/bind/{{ domain }}.zone";
      {{ slaves() }}
 };
+{%- endfor %}
 
 # net zones
 {%- for net, subnet4 in pillar['subnets-inet'].items() %}
@@ -42,11 +43,13 @@ zone "{{ domain }}" IN {
 {%- endfor %}
 
 # IPv6 reverse zones
-{%- for domain in pillar['bind']['reverse-zones-inet6'] %}
+{%- for ctx, domains in pillar['bind']['reverse-zones-inet6'].items() %}
+{%-   for domain in domains %}
 zone "{{ domain }}" IN {
      type master;
      file "/etc/bind/{{ domain }}.zone";
 };
+{%-   endfor %}
 {%- endfor %}
 
 
@@ -59,7 +62,7 @@ key "{{ name }}" {
 {%- endfor %}
 
 # DynDNS zone
-{%- set domain = 'dyn.' ~ pillar['bind']['root-domain'] %}
+{%- set domain = 'dyn.' ~ pillar['bind']['root-domain']['up1'] %}
 zone "{{ domain }}" IN {
      type master;
      file "/etc/bind/{{ domain }}.zone";
diff --git a/salt/bind/net-domain.zone b/salt/bind/net-domain.zone
index b92e87a..5de6deb 100644
--- a/salt/bind/net-domain.zone
+++ b/salt/bind/net-domain.zone
@@ -1,7 +1,7 @@
 $ORIGIN {{ domain }}.
 $TTL 10M
 
-@		IN SOA	{{ pillar['bind']['master-ns'] }}. astro.spaceboyz.net. (
+@		IN SOA	{{ pillar['bind']['master-ns'][ctx] }}. astro.spaceboyz.net. (
 				{{ pillar['bind']['serial'] }} ; serial
 				1H ; refresh
 				1M ; retry
diff --git a/salt/bind/reverse.zone b/salt/bind/reverse.zone
index f55ed5e..058ec42 100644
--- a/salt/bind/reverse.zone
+++ b/salt/bind/reverse.zone
@@ -1,7 +1,7 @@
 $ORIGIN {{ domain }}.
 $TTL 10M
 
-@		IN SOA	{{ pillar['bind']['master-ns'] }}. astro.spaceboyz.net. (
+@		IN SOA	{{ pillar['bind']['master-ns'][ctx] }}. astro.spaceboyz.net. (
 				{{ pillar['bind']['serial'] }} ; serial
 				1H ; refresh
 				1M ; retry
@@ -10,20 +10,22 @@ $TTL 10M
 			)
 		IN NS	{{ pillar['bind']['master-ns'] }}.
 
-{%- for net, hosts in pillar['hosts-inet'].items() %}
-{%-   for host, aaaa in hosts.items() %}
-{%-     set reverse = salt['network.reverse_ip'](aaaa) %}
-{%-     if reverse.endswith(domain) %}
-{{ reverse.replace('.' ~ domain, '') }}	IN PTR	{{ host }}.{{ net }}.{{ pillar['bind']['root-domain'] }}.
-{%-     endif %}
+{%- if ctx == 'dn42' %]
+{%-   for net, hosts in pillar['hosts-inet'].items() %}
+{%-     for host, aaaa in hosts.items() %}
+{%-       set reverse = salt['network.reverse_ip'](aaaa) %}
+{%-       if reverse.endswith(domain) %}
+{{ reverse.replace('.' ~ domain, '') }}	IN PTR	{{ host }}.{{ net }}.{{ pillar['bind']['root-domain'][ctx] }}.
+{%-       endif %}
+{%-     endfor %}
 {%-   endfor %}
-{%- endfor %}
+{%- endif %}
 
-{%- for net, hosts in pillar['hosts-inet6']['dn42'].items() %}
+{%- for net, hosts in pillar['hosts-inet6'][ctx].items() %}
 {%-   for host, aaaa in hosts.items() %}
 {%-     set reverse = salt['network.reverse_ip'](aaaa) %}
 {%-     if reverse.endswith(domain) %}
-{{ reverse.replace('.' ~ domain, '') }}	IN PTR	{{ host }}.{{ net }}.{{ pillar['bind']['root-domain'] }}.
+{{ reverse.replace('.' ~ domain, '') }}	IN PTR	{{ host }}.{{ net }}.{{ pillar['bind']['root-domain'][ctx] }}.
 {%-     endif %}
 {%-   endfor %}
 {%- endfor %}
diff --git a/salt/bind/root-domain.zone b/salt/bind/root-domain.zone
index 2049e3a..679877e 100644
--- a/salt/bind/root-domain.zone
+++ b/salt/bind/root-domain.zone
@@ -1,7 +1,7 @@
 $ORIGIN {{ domain }}.
 $TTL 10M
 
-@		IN SOA	{{ pillar['bind']['master-ns'] }}. astro.spaceboyz.net. (
+@		IN SOA	{{ pillar['bind']['master-ns'][ctx] }}. astro.spaceboyz.net. (
 				{{ pillar['bind']['serial'] }} ; serial
 				1H ; refresh
 				1M ; retry
diff --git a/salt/unbound/listen.conf b/salt/unbound/listen.conf
index eed557d..3ed5a99 100644
--- a/salt/unbound/listen.conf
+++ b/salt/unbound/listen.conf
@@ -8,6 +8,7 @@ server:
 
     interface: ::
     access-control: fd23:42:c3d2:500::/56 allow
+    access-control: 2a02:8106:208:5200::/56 allow
     access-control: ::172.20.72.0/117 allow
     access-control: ::172.22.99.0/120 allow
     access-control: ::1/128 allow
diff --git a/salt/unbound/local-zones.conf b/salt/unbound/local-zones.conf
index 2837471..9cb3d44 100644
--- a/salt/unbound/local-zones.conf
+++ b/salt/unbound/local-zones.conf
@@ -1,10 +1,14 @@
 server:
-  domain-insecure: "{{ pillar['bind']['root-domain'] }}"
+{%- for ctx, domain in pillar['bind']['root-domain'] %}
+  domain-insecure: "{{ domain }}"
+{%- endfor %}
 
 forward-zone:
-  name: "{{ pillar['bind']['root-domain'] }}"
+{%- for ctx, domain in pillar['bind']['root-domain'] %}
+  name: "{{ domain }}"
   forward-addr: {{ pillar['hosts-inet']['serv']['dns'] }}
-  forward-addr: {{ pillar['hosts-inet6']['dn42']['serv']['dns'] }}
+  forward-addr: {{ pillar['hosts-inet6'][ctx]['serv']['dns'] }}
+{%- endfor %}
 
 {%- for domain in pillar['bind']['reverse-zones-inet'] %}
 forward-zone:
@@ -13,9 +17,11 @@ forward-zone:
   forward-addr: {{ pillar['hosts-inet6']['dn42']['serv']['dns'] }}
 {%- endfor %}
 
-{%- for domain in pillar['bind']['reverse-zones-inet6'] %}
+{%- for ctx, domains in pillar['bind']['reverse-zones-inet6'].items() %}
+{%-   for domain in domains %}
 forward-zone:
   name: "{{ domain }}"
   forward-addr: {{ pillar['hosts-inet']['serv']['dns'] }}
-  forward-addr: {{ pillar['hosts-inet6']['dn42']['serv']['dns'] }}
+  forward-addr: {{ pillar['hosts-inet6'][ctx]['serv']['dns'] }}
+{%-   endfor %}
 {%- endfor %}