diff options
author | Christian Pointner <equinox@spreadspace.org> | 2022-06-19 00:03:22 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2022-06-19 00:03:22 +0200 |
commit | d5cb307d443301e96a06c80e4608ec7e9d015e0e (patch) | |
tree | 3a52b762ae29ec9e17b84ca05c3ecbc8e3e8c9b8 | |
parent | add simple handling for nftable rulesets in base role (diff) |
import improved bind role from helsinki repo
-rw-r--r-- | chaos-at-home/ch-mimas2.yml | 2 | ||||
-rw-r--r-- | inventory/host_vars/ch-mimas2.yml | 84 | ||||
-rw-r--r-- | roles/bind/defaults/main.yml | 14 | ||||
-rw-r--r-- | roles/bind/tasks/main.yml | 109 | ||||
-rw-r--r-- | roles/bind/templates/slave-zones.j2 | 22 | ||||
-rw-r--r-- | roles/network/bind/defaults/main.yml | 35 | ||||
-rw-r--r-- | roles/network/bind/handlers/main.yml (renamed from roles/bind/handlers/main.yml) | 0 | ||||
-rw-r--r-- | roles/network/bind/tasks/main.yml | 151 | ||||
-rw-r--r-- | roles/network/bind/templates/master-zones.j2 | 8 | ||||
-rw-r--r-- | roles/network/bind/templates/slave-zones.j2 | 22 |
10 files changed, 259 insertions, 188 deletions
diff --git a/chaos-at-home/ch-mimas2.yml b/chaos-at-home/ch-mimas2.yml index ff8d3239..ab445ce9 100644 --- a/chaos-at-home/ch-mimas2.yml +++ b/chaos-at-home/ch-mimas2.yml @@ -7,7 +7,7 @@ - role: core/sshd/base - role: core/zsh - role: core/admin-users - - role: bind + - role: network/bind - role: apt-repo/spreadspace - role: acmetool/base - role: network/wireguard/base diff --git a/inventory/host_vars/ch-mimas2.yml b/inventory/host_vars/ch-mimas2.yml index 1cf22b81..de561675 100644 --- a/inventory/host_vars/ch-mimas2.yml +++ b/inventory/host_vars/ch-mimas2.yml @@ -12,58 +12,58 @@ bind_option_empty_zones_enable: no bind_option_allow_transfer: [] bind_option_allow_recursion: - localhost -bind_option_notify: no +bind_option_notify: 'no' bind_empty_onion_zone: yes bind_slave_zones: - - name: pan + pan: masters: - - 89.106.215.17 - - 2a02:3e0:407::17 + - 89.106.215.17 + - 2a02:3e0:407::17 zones: - ## formerly known as self - - chaos-at-home.org - - chaox.org - - spreadspace.org - - spreadspace.com - - spreadspace.net - - spreadspace.systems - - elev8.at - - radiogloria.at - - java-sucks.com - - xn--gh-via.org - - schaaas.at - ## formerly known as others - - gimpf.org - - rabbitsatethesputnik.com - - gentealdente.com - - ambindermichl.at - - movetogether.at - ## formerly known as otti - - anytun.org - - gsenger.com - - wirdorange.org - - xn--3-0fa.at - - 5.208.106.89.in-addr.arpa - - 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.3.0.2.0.a.2.ip6.arpa + ## formerly known as self + - chaos-at-home.org + - chaox.org + - spreadspace.org + - spreadspace.com + - spreadspace.net + - spreadspace.systems + - elev8.at + - radiogloria.at + - java-sucks.com + - xn--gh-via.org + - schaaas.at + ## formerly known as others + - gimpf.org + - rabbitsatethesputnik.com + - gentealdente.com + - ambindermichl.at + - movetogether.at + ## formerly known as otti + - anytun.org + - gsenger.com + - wirdorange.org + - xn--3-0fa.at + - 5.208.106.89.in-addr.arpa + - 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.3.0.2.0.a.2.ip6.arpa - - name: realraum + realraum: masters: - - 89.106.211.33 - - 2a02:3e0:4000:1::1 + - 89.106.211.33 + - 2a02:3e0:4000:1::1 zones: - - realraum.at - - r3.at - - hack-challenge.at + - realraum.at + - r3.at + - hack-challenge.at - - name: funkfeuer + funkfeuer: masters: - - 193.33.150.114 + - 193.33.150.114 zones: - - ffgraz.net - - graz.funkfeuer.at - - 10.in-addr.arpa - - 150.33.193.in-addr.arpa - - 151.33.193.in-addr.arpa + - ffgraz.net + - graz.funkfeuer.at + - 10.in-addr.arpa + - 150.33.193.in-addr.arpa + - 151.33.193.in-addr.arpa apt_repo_provider: default diff --git a/roles/bind/defaults/main.yml b/roles/bind/defaults/main.yml deleted file mode 100644 index e5b4c688..00000000 --- a/roles/bind/defaults/main.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -## options - -# bind_option_empty_zones_enable: yes -# bind_option_allow_transfer: [] -# bind_option_allow_recursion: [] -# bind_option_notify: no - - -## zone configs - -# bind_empty_onion_zone: no -# bind_master_zones: ... -# bind_slave_zones: ... diff --git a/roles/bind/tasks/main.yml b/roles/bind/tasks/main.yml deleted file mode 100644 index 92e37e6a..00000000 --- a/roles/bind/tasks/main.yml +++ /dev/null @@ -1,109 +0,0 @@ ---- -- name: install bind - apt: - name: bind9 - state: present - -- name: set bind options - blockinfile: - path: /etc/bind/named.conf.options - block: | - {% if bind_option_empty_zones_enable is defined %} - empty-zones-enable {% if bind_option_empty_zones_enable %}yes{% else %}no{% endif %}; - {% endif %} - {% if bind_option_notify is defined %} - notify {% if bind_option_notify %}yes{% else %}no{% endif %}; - {% endif %} - {% if bind_option_allow_transfer is defined %} - - allow-transfer { - {% for item in bind_option_allow_transfer %} - {{ item }}; - {% endfor %} - }; - {% endif %} - {% if bind_option_allow_recursion is defined %} - - allow-recursion { - {% for item in bind_option_allow_recursion %} - {{ item }}; - {% endfor %} - }; - {% endif %} - insertbefore: '};' - marker: " // {mark} ansible managed block" - notify: reload bind - - -- name: add empty .onion zone - when: bind_empty_onion_zone - copy: - dest: /etc/bind/named.conf.onion - content: | - // block .onion addresses - zone "onion" { - type master; - file "/etc/bind/db.empty"; - notify no; - }; - notify: reload bind - -- name: remove empty .onion zone - when: not bind_empty_onion_zone - file: - path: /etc/bind/named.conf.onion - state: absent - notify: reload bind - -- name: enable/disable empty .onion zone - lineinfile: - path: /etc/bind/named.conf - line: 'include "/etc/bind/named.conf.onion";' - state: "{% if bind_empty_onion_zone %}present{% else %}absent{% endif %}" - notify: reload bind - - -- name: add slave zone configuration - when: bind_slave_zones is defined - template: - src: slave-zones.j2 - dest: /etc/bind/named.conf.slave-zones - notify: reload bind - -- name: remove slave zone configuration - when: bind_slave_zones is not defined - file: - path: /etc/bind/named.conf.slave-zones - state: absent - notify: reload bind - -- name: enable/disable slave zone configuration - lineinfile: - path: /etc/bind/named.conf - line: 'include "/etc/bind/named.conf.slave-zones";' - state: "{% if bind_slave_zones is defined %}present{% else %}absent{% endif %}" - notify: reload bind - - -# - name: add master zone configuration -# when: bind_master_zones is defined -# template: -# src: master-zones.j2 -# dest: /etc/bind/named.conf.master-zones -# notify: reload bind - -# - name: remove master zone configuration -# when: bind_master_zones is not defined -# file: -# path: /etc/bind/named.conf.master-zones -# state: absent -# notify: reload bind - -# ## TODO: install zone files for master zones - -# - name: enable/disable master zone configuration -# lineinfile: -# path: /etc/bind/named.conf -# line: 'include "/etc/bind/named.conf.master-zones";' -# state: "{% if bind_master_zones is defined %}present{% else %}absent{% endif %}" -# notify: reload bind diff --git a/roles/bind/templates/slave-zones.j2 b/roles/bind/templates/slave-zones.j2 deleted file mode 100644 index da9ba699..00000000 --- a/roles/bind/templates/slave-zones.j2 +++ /dev/null @@ -1,22 +0,0 @@ -// Masters - -{% for group in bind_slave_zones %} -masters {{ group.name }} { -{% for master in group.masters %} - {{ master }}; -{% endfor %} -}; - -{% endfor %} - -// Zones -{% for group in bind_slave_zones %} -{% for zone in group.zones %} - -zone "{{ zone }}" { - type slave; - file "/var/cache/bind/db.{{ zone }}.sec"; - masters { {{ group.name }}; }; -}; -{% endfor %} -{% endfor %} diff --git a/roles/network/bind/defaults/main.yml b/roles/network/bind/defaults/main.yml new file mode 100644 index 00000000..80dbe396 --- /dev/null +++ b/roles/network/bind/defaults/main.yml @@ -0,0 +1,35 @@ +--- +## options + +# bind_option_empty_zones_enable: yes +# bind_option_allow_query: [] +# bind_option_allow_recursion: [] +# bind_option_allow_update: [] +# bind_option_notify: '(yes|no|explicit)' +# bind_option_also_notify: [] +# bind_option_allow_transfer: [] + + +## zone configs + +bind_empty_onion_zone: no + +# bind_master_zones: +# example.com: +# content: | +# .... +# foo.bar: +# file: path/to/file + +# bind_slave_zones: +# example: +# masters: +# - 192.0.2.1 +# zones: +# - example.com +# - example.net +# foo: +# master: +# - 1.2.3.4 +# zone: +# - foo.bar diff --git a/roles/bind/handlers/main.yml b/roles/network/bind/handlers/main.yml index 1bb588c7..1bb588c7 100644 --- a/roles/bind/handlers/main.yml +++ b/roles/network/bind/handlers/main.yml diff --git a/roles/network/bind/tasks/main.yml b/roles/network/bind/tasks/main.yml new file mode 100644 index 00000000..39f144f5 --- /dev/null +++ b/roles/network/bind/tasks/main.yml @@ -0,0 +1,151 @@ +--- +- name: install bind + apt: + name: bind9 + state: present + +- name: set bind options + blockinfile: + path: /etc/bind/named.conf.options + block: | + {% if bind_option_empty_zones_enable is defined %} + empty-zones-enable {% if bind_option_empty_zones_enable %}yes{% else %}no{% endif %}; + {% endif %} + {% if bind_option_allow_query is defined %} + + allow-query { + {% for item in bind_option_allow_query %} + {{ item }}; + {% endfor %} + }; + {% endif %} + {% if bind_option_allow_recursion is defined %} + + allow-recursion { + {% for item in bind_option_allow_recursion %} + {{ item }}; + {% endfor %} + }; + {% endif %} + {% if bind_option_allow_update is defined %} + + allow-update { + {% for item in bind_option_allow_update %} + {{ item }}; + {% endfor %} + }; + {% endif %} + {% if bind_option_notify is defined %} + + notify {{ bind_option_notify }}; + {% endif %} + {% if bind_option_also_notify is defined %} + + also-notify { + {% for item in bind_option_also_notify %} + {{ item }}; + {% endfor %} + }; + {% endif %} + {% if bind_option_allow_transfer is defined %} + + allow-transfer { + {% for item in bind_option_allow_transfer %} + {{ item }}; + {% endfor %} + }; + {% endif %} + insertbefore: '};' + marker: " // {mark} ansible managed block" + notify: reload bind + + +- name: add empty .onion zone + when: bind_empty_onion_zone + copy: + dest: /etc/bind/named.conf.onion + content: | + // block .onion addresses + zone "onion" { + type master; + file "/etc/bind/db.empty"; + zone-statistics no; + notify no; + }; + notify: reload bind + +- name: remove empty .onion zone + when: not bind_empty_onion_zone + file: + path: /etc/bind/named.conf.onion + state: absent + notify: reload bind + +- name: enable/disable empty .onion zone + lineinfile: + path: /etc/bind/named.conf + line: 'include "/etc/bind/named.conf.onion";' + state: "{{ bind_empty_onion_zone is defined | ternary('present', 'absent') }}" + notify: reload bind + + +- name: add slave zone configuration + when: bind_slave_zones is defined + template: + src: slave-zones.j2 + dest: /etc/bind/named.conf.slave-zones + notify: reload bind + +- name: remove slave zone configuration + when: bind_slave_zones is not defined + file: + path: /etc/bind/named.conf.slave-zones + state: absent + notify: reload bind + +- name: enable/disable slave zone configuration + lineinfile: + path: /etc/bind/named.conf + line: 'include "/etc/bind/named.conf.slave-zones";' + state: "{{ bind_slave_zones is defined | ternary('present', 'absent') }}" + notify: reload bind + + +- name: add master zone configuration + when: bind_master_zones is defined + template: + src: master-zones.j2 + dest: /etc/bind/named.conf.master-zones + notify: reload bind + +- name: remove master zone configuration + when: bind_master_zones is not defined + file: + path: /etc/bind/named.conf.master-zones + state: absent + notify: reload bind + +- name: install master zone files (from local file) + when: bind_master_zones is defined + loop: "{{ bind_master_zones | dict2items | selectattr('value.file', 'defined') | list }}" + loop_control: + label: "{{ item.key }}" + copy: + dest: "/etc/bind/db.{{ item.key }}" + src: "{{ item.value.file }}" + +- name: install master zone files (from content) + when: bind_master_zones is defined + loop: "{{ bind_master_zones | dict2items | selectattr('value.content', 'defined') | list }}" + loop_control: + label: "{{ item.key }}" + copy: + dest: "/etc/bind/db.{{ item.key }}" + content: "{{ item.value.content }}" + +- name: enable/disable master zone configuration + lineinfile: + path: /etc/bind/named.conf + line: 'include "/etc/bind/named.conf.master-zones";' + state: "{{ bind_master_zones is defined | ternary('present', 'absent') }}" + notify: reload bind diff --git a/roles/network/bind/templates/master-zones.j2 b/roles/network/bind/templates/master-zones.j2 new file mode 100644 index 00000000..2e400711 --- /dev/null +++ b/roles/network/bind/templates/master-zones.j2 @@ -0,0 +1,8 @@ +// Zones +{% for zone in bind_master_zones.keys() %} + +zone "{{ zone }}" { + type master; + file "/etc/bind/db.{{ zone }}"; +}; +{% endfor %} diff --git a/roles/network/bind/templates/slave-zones.j2 b/roles/network/bind/templates/slave-zones.j2 new file mode 100644 index 00000000..7cf3a9b2 --- /dev/null +++ b/roles/network/bind/templates/slave-zones.j2 @@ -0,0 +1,22 @@ +// Masters + +{% for name,config in bind_slave_zones.items() %} +masters {{ name }} { +{% for master in config.masters %} + {{ master }}; +{% endfor %} +}; + +{% endfor %} + +// Zones +{% for name,config in bind_slave_zones.items() %} +{% for zone in config.zones %} + +zone "{{ zone }}" { + type slave; + file "/var/cache/bind/db.{{ zone }}.sec"; + masters { {{ name }}; }; +}; +{% endfor %} +{% endfor %} |