Terraform automation that creates two name servers under two separate GCP accounts within free tier limits.
- Have access to two separate GCP accounts
- Have control over a domain name (e.g. example.com.)
- Create an SSH keypair (using
ssh-keygen
) for the Unix user account used to connect to the name server machines to be created (e.g.id_rsa{.pub}
) - Create a TSIG key (using
tsig-keygen
) to be used for secure zone transfers between name server (e.g. namedns1-ns2
, saved tons1-ns2.key
) - Create a TSIG key to be used for secure DDNS updates (e.g. named
ddns
, saved toddns.key
)
Note: tsig-keygen
generates files using tabs instead of spaces in it, to overcome this use tsig-keygen ddns | sed 's/\t/ /g' > ddns.key
.
- Create a new project
- Create an Editor service account for Terraform
- Save the service account credentials (e.g.
ns{1,2}_credentials.json
)
Note: examine default firewall rules associated with default VPCs since those won't be touched by Terraform.
- Create a storage bucket for Terraform to store its state in
- Run
terraform init -backend-config bucket=<bucket-name>
- Create
terraform.tfvars
to provide values for variables defined invariables.tf
(seeterraform.tfvars.example
) - Run
terraform apply
to provision the name servers
- Delegate to your name servers (ns1.example.com. and ns2.example.com.) at your registrar
- This is required to create glue records in the com. parent domain
- Run
terraform output
to view the static external IP addresses assigned to the name servers
Note: to view if glue records are in place already use dig +norecurse @$(dig +short com. NS | head -1) ns1.example.com. NS
Use nsupdate
with the ddns.key
.
nsupdate -k ddns.key << EOF
debug
update add sample.example.com. 60 A 127.0.0.1
send
EOF
Zones can be transferred by any host (local or remote) only out of the master/primary name server (ns1
) using a TSIG key.
dig -k ns1-ns2.key @$(dig +short example.com. SOA | awk '{print $1}') example.com. AXFR
Note: the slave (ns2
) doesn't allow zone transfers even with a TSIG key.
Use one of these
ssh -i id_rsa user@ns{1,2}.example.com
mosh --ssh='ssh -i id_rsa' user@ns{1,2}.example.com
wsl -- mosh --ssh='ssh -i id_rsa' user@ns{1,2}.example.com
Note: some time must pass before ns{1,2}.example.com
are properly resolved.
When SSH host keys change on the servers .ssh/known_hosts
must be updated
ssh-keygen -R ns{1,2}.example.com
wsl -- ssh-keygen -R ns{1,2}.example.com
Note: create /etc/wsl.conf
with the following contents when using wsl
with SSH keys located under /mnt
[automount]
options = "metadata"
then do wsl --shutdown
and wsl -- chmod 600 id_rsa
.