diff --git a/README.md b/README.md index fdfb239..46dd069 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ -[![Build Status](https://travis-ci.org/resmo/ansible-role-bind.png?branch=master)](https://travis-ci.org/resmo/ansible-role-bind) +[![Build Status](https://travis-ci.org/teadur/ansible-role-bind.png?branch=master)](https://travis-ci.org/teadur/ansible-role-bind) -# Ansible Bind Role +# Ansible Bind9 Role An ansible role for installing and managing bind, acting as primary and/or secondary nameserver. It does also copy the master zone files (`bind_masterzones_path`), but however, the zone files must exist. @@ -34,6 +34,28 @@ Optionally: If your nameservers acts as a secondary nameserver, here is a sample - example.net - example.org +Optionally: If your nameservers acts as a secondary nameserver, here is a sample setup with TSIG Keys: + + bind_config_slave_zones: + - name: example.net + tsig_keys: + - name: sample-key + algorithm: hmac-md5 + secret: 'phaiGouX7Soh8gee4Vee' + masters_templates: + - name: example-tmpl + servers: + - '127.0.0.1 key sample-key' + - '2001::15 key sample-key' + masters: [ 'example-templ' ] + zones: + - example.net + - example.org + + bind_config_master_tsig_keys: + - name: sample-key + algorithm: hmac-md5 + secret: 'phaiGouX7Soh8gee4Vee' Optionally: If you need to forward some zones directly to another nameserver, here is a sample: @@ -64,7 +86,11 @@ None. - hosts: nameservers remote_user: root roles: - - { role: resmo.bind } + - role: bind9 + bind_base_zones_path: '/var/cache/bind' + bind_config_version: 'none' + bind_config_master_zones: [] + bind_config_slave_zones: [] ## License @@ -75,3 +101,6 @@ MIT ## Author Information René Moser + +Additions by Daniel Paufler +Additions by Georg Kahest diff --git a/defaults/main.yml b/defaults/main.yml index 6a6e3df..8dfe571 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,14 +2,23 @@ bind_config_master_zones: [] bind_config_master_allow_transfer: [] bind_config_master_forwarders: [] +bind_config_master_tsig_keys: [] bind_config_recursion: "no" bind_config_slave_zones: [] bind_config_forward_zones: [] bind_service_state: started bind_service_enabled: yes -bind_pkg_state: installed +bind_pkg_state: present bind_base_zones_path: "/var/lib/bind" bind_masterzones_path: "masters" bind_slavezones_path: "slaves" bind_config_listen_on: any bind_config_allow_query: [] +bind_config_allow_recursion: [] +bind_config_allow_query_cache: [] +bind_config_acls: [] +bind_config_notify: 'no' +bind_config_querylog: 'no' +bind_config_disable_default_zones: false +bind_config_version: false +bind_config_transfer_source: false diff --git a/files/masters/db.example.com b/files/masters/db.example.com index a534853..1ae4e0c 100644 --- a/files/masters/db.example.com +++ b/files/masters/db.example.com @@ -1,3 +1,4 @@ +;Ansible managed, do not edit directly $TTL 4h $ORIGIN example.com. @ IN SOA ns1.example.com. hostmaster.example.com. ( diff --git a/files/named.conf b/files/named.conf.default-zones similarity index 50% rename from files/named.conf rename to files/named.conf.default-zones index eef8b96..c508a76 100644 --- a/files/named.conf +++ b/files/named.conf.default-zones @@ -1,12 +1,4 @@ -// This is the primary configuration file for the BIND DNS server named. -// -// Please read /usr/share/doc/bind9/README.Debian.gz for information on the -// structure of BIND configuration files in Debian, *BEFORE* you customize -// this configuration file. -// -// If you are just adding zones, please do that in /etc/bind/named.conf.local - -include "/etc/bind/named.conf.options"; +// !!!! Don't modify: this file was generated by Ansible !!!! // prime the server with knowledge of the root servers zone "." { @@ -35,9 +27,4 @@ zone "0.in-addr.arpa" { zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; -}; - -include "/etc/bind/named.conf.local"; -include "/etc/bind/named.conf.local.master"; -include "/etc/bind/named.conf.local.slave"; -include "/etc/bind/named.conf.local.forward"; +}; \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 50b442c..9cd7410 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,32 +4,44 @@ with_items: "{{ bind_pkgs }}" - name: setup zone directories - file: dest={{ bind_base_zones_path }}/{{ item }} state=directory owner={{ bind_user }} group={{ bind_group }} mode=0755 + file: dest="{{ bind_base_zones_path }}/{{ item }}" state=directory owner="{{ bind_user }}" group="{{ bind_group }}" mode=0755 with_items: - masters - slaves - name: setup zones - template: src=named.conf.local.{{ item }}.j2 dest={{ bind_config_basepath }}/named.conf.local.{{ item }} owner={{ bind_user }} group={{ bind_group }} mode=0600 + template: src="named.conf.local.{{ item }}.j2" dest="{{ bind_config_basepath }}/named.conf.local.{{ item }}" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 with_items: - master - slave - forward notify: reload bind -- name: configure bind - copy: src=named.conf dest={{ bind_config_basepath }}/named.conf owner={{ bind_user }} group={{ bind_group }} mode=0600 +- name: configure bind (named.conf) + template: src=named.conf.j2 dest="{{ bind_config_basepath }}/named.conf" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 + notify: restart bind + +- name: configure bind (named.conf.default-zones) + copy: src=named.conf.default-zones dest="{{ bind_config_basepath }}/named.conf.default-zones" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 notify: restart bind - name: configure bind options - template: src=named.conf.options.j2 dest={{ bind_config_basepath }}/named.conf.options owner={{ bind_user }} group={{ bind_group }} mode=0600 + template: src=named.conf.options.j2 dest="{{ bind_config_basepath }}/named.conf.options" owner="{{ bind_user }}" group="{{ bind_group }}" mode=0600 notify: restart bind +- name: Create directory for master zone files + file: + path: "{{ bind_base_zones_path }}/{{ bind_masterzones_path }}" + mode: 0755 + state: directory + owner: "{{ bind_user }}" + group: "{{ bind_group }}" + - name: Copy master zone files - copy: src={{ bind_masterzones_path }}/db.{{ item.name }} dest={{ bind_base_zones_path }}/{{bind_masterzones_path}} owner={{ bind_user }} group={{ bind_group }} + copy: src="{{ bind_masterzones_path }}/db.{{ item.name }}" dest="{{ bind_base_zones_path }}/{{ bind_masterzones_path }}/db.{{ item.name }}" owner="{{ bind_user }}" group="{{ bind_group }}" with_items: "{{ bind_config_master_zones }}" notify: reload bind tags: bind-zones - name: start/stop bind service - service: name={{ bind_service_name }} state={{ bind_service_state }} enabled={{ bind_service_enabled }} + service: name="{{ bind_service_name }}" state="{{ bind_service_state }}" enabled="{{ bind_service_enabled }}" diff --git a/templates/named.conf.j2 b/templates/named.conf.j2 new file mode 100644 index 0000000..b1641c7 --- /dev/null +++ b/templates/named.conf.j2 @@ -0,0 +1,15 @@ +// !!!! Don't modify: this file was generated by Ansible !!!! + +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local.master"; +include "/etc/bind/named.conf.local.slave"; +include "/etc/bind/named.conf.local.forward"; +{% if not bind_config_disable_default_zones %}include "/etc/bind/named.conf.default-zones";{% endif %} diff --git a/templates/named.conf.local.master.j2 b/templates/named.conf.local.master.j2 index fb26b21..e431f29 100644 --- a/templates/named.conf.local.master.j2 +++ b/templates/named.conf.local.master.j2 @@ -1,4 +1,14 @@ ## {{ ansible_managed }} +######## ({{ bind_config_master_zones|count }} zones) +# TSIG Keys +{% for tsig_key in bind_config_master_tsig_keys|default('') %} +key "{{ tsig_key.name }}" { + algorithm {{ tsig_key.algorithm }}; + secret "{{ tsig_key.secret }}"; +}; +{% endfor %} + +# Zones {% for master_zone in bind_config_master_zones %} zone "{{ master_zone.name }}" { diff --git a/templates/named.conf.local.slave.j2 b/templates/named.conf.local.slave.j2 index e20bad3..045d26e 100644 --- a/templates/named.conf.local.slave.j2 +++ b/templates/named.conf.local.slave.j2 @@ -1,13 +1,34 @@ ## {{ ansible_managed }} + {% for slave_zone in bind_config_slave_zones %} ######## {{ slave_zone.name }} ({{ slave_zone.zones|count }} zones) -{% for zone in slave_zone.zones %} +# TSIG Keys +{% for tsig_key in slave_zone.tsig_keys|default('') %} +key "{{ tsig_key.name }}" { + algorithm {{ tsig_key.algorithm }}; + secret "{{ tsig_key.secret }}"; +}; +{% endfor %} + +# Masters Template +{% for master in slave_zone.masters_templates|default('') %} +masters {{ master.name }} { +{% for server in master.servers %} + {{ server }}; +{% endfor %} +}; +{% endfor %} + +# Zones +{% for zone in slave_zone.zones|sort %} zone "{{ zone }}" { type slave; + notify no; file "{{bind_base_zones_path}}/{{bind_slavezones_path}}/db.{{ zone }}"; + masterfile-format text; # no bind9.9 binary format masters { {% for master in slave_zone.masters %} - {{ master }}; + {{ master }}; {% endfor %} }; }; diff --git a/templates/named.conf.options.j2 b/templates/named.conf.options.j2 index 7a1deb6..f76251f 100644 --- a/templates/named.conf.options.j2 +++ b/templates/named.conf.options.j2 @@ -1,8 +1,30 @@ // {{ ansible_managed }} +{% for acl in bind_config_acls %} +acl "{{ acl.name }}" { +{% for entries in acl.entries %} + {{ entries | indent(4) }}; +{% endfor %} +}; +{% endfor %} + +// TODO: Make me dynamic +logging { + channel default_syslog { + print-time yes; + print-category yes; + print-severity yes; + syslog daemon; + severity info; + }; + category queries { default_syslog; }; + category dnssec { default_syslog; }; + +}; + options { directory "/var/cache/bind"; - + hostname "{{ inventory_hostname }}"; // If there is a firewall between you and nameservers you want // to talk to, you might need to uncomment the query-source // directive below. Previous versions of BIND always asked @@ -12,9 +34,12 @@ options { //query-source address * port 53; query-source address * port *; - - transfer-source *; - + {% if bind_config_transfer_source %} + transfer-source {{ ansible_default_ipv4.address }} port 53; + {% if ansible_default_ipv6.address is defined %} + transfer-source-v6 {{ ansible_default_ipv6.address }} port 53; + {% endif %} + {% endif %} notify-source *; allow-transfer { @@ -23,7 +48,7 @@ options { {% endfor %} }; - notify yes; + notify {{ bind_config_notify }}; also-notify { }; @@ -41,10 +66,11 @@ options { }; {% endif %} - //dnssec-enable yes; - //dnssec-validation yes; - - auth-nxdomain no; # conform to RFC1035 + dnssec-enable yes; + dnssec-validation yes; +{% if bind_config_version %} version "{{ bind_config_version }}"; +{% endif %} + auth-nxdomain no; // conform to RFC1035 listen-on { {{ bind_config_listen_on }}; }; listen-on-v6 { any; }; @@ -56,9 +82,32 @@ options { {% endfor %} }; {% else %} - allow-query { any; }; // This is the default + allow-query { any; }; // This is the default {% endif %} - recursion {{ bind_config_recursion }}; // Do not provide recursive service +{% if bind_config_allow_recursion %} + allow-recursion { + {% for queries in bind_config_allow_recursion %} + {{ queries }}; + {% endfor %} + }; + {% else %} + allow-recursion { any; }; // This is the default + {% endif %} + +{% if bind_config_allow_query_cache %} + allow-query-cache { + {% for queries in bind_config_allow_query_cache %} + {{ queries }}; + {% endfor %} + }; + {% else %} + allow-query-cache { any; }; // This is the default + {% endif %} + + recursion {{ bind_config_recursion }}; zone-statistics yes; + {% if bind_config_querylog == 'yes' %} + querylog {{ bind_config_querylog }}; + {% endif %} };