From 180714cd58dac936954c778d9539eb0618e63cea Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 6 Oct 2019 05:08:38 +0200
Subject: added bind role

---
 chaos-at-home/ch-mimas2.yml         |   1 +
 inventory/host_vars/ch-mimas2.yml   |  59 +++++++++++++++++++
 roles/bind/defaults/main.yml        |  14 +++++
 roles/bind/handlers/main.yml        |   5 ++
 roles/bind/tasks/main.yml           | 109 ++++++++++++++++++++++++++++++++++++
 roles/bind/templates/slave-zones.j2 |  22 ++++++++
 6 files changed, 210 insertions(+)
 create mode 100644 roles/bind/defaults/main.yml
 create mode 100644 roles/bind/handlers/main.yml
 create mode 100644 roles/bind/tasks/main.yml
 create mode 100644 roles/bind/templates/slave-zones.j2

diff --git a/chaos-at-home/ch-mimas2.yml b/chaos-at-home/ch-mimas2.yml
index 974cd817..df340958 100644
--- a/chaos-at-home/ch-mimas2.yml
+++ b/chaos-at-home/ch-mimas2.yml
@@ -6,3 +6,4 @@
   - role: sshd
   - role: zsh
   - role: admin-user
+  - role: bind
diff --git a/inventory/host_vars/ch-mimas2.yml b/inventory/host_vars/ch-mimas2.yml
index b8f30628..8cb08bd8 100644
--- a/inventory/host_vars/ch-mimas2.yml
+++ b/inventory/host_vars/ch-mimas2.yml
@@ -8,3 +8,62 @@ install:
     root_lvm_size: all
 
 network: {}
+
+bind_option_empty_zones_enable: no
+bind_option_allow_transfer: []
+bind_option_allow_recursion:
+  - localhost
+bind_option_notify: no
+
+bind_empty_onion_zone: yes
+bind_slave_zones:
+  - name: pan
+    masters:
+      - 89.106.215.17
+      - 2a02:3e0:407::17
+    zones:
+      ## formerly known as self
+      - chaos-at-home.org
+      - chaox.org
+      - spreadspace.org
+      - spreadspace.com
+      - spreadspace.net
+      - spreadspace.systems
+      - elev8.at
+      - java-sucks.com
+      - xn--gh-via.org
+      - schaaas.at
+      ## formerly known as others
+      - gimpf.org
+      - rabbitsatethesputnik.com
+      - gentealdente.com
+      - movetogether.at
+      ## formerly known as xro
+      - tittelbach.at
+      - tittelbach.org
+      ## formerly known as otti
+      - anytun.org
+      - gsenger.com
+      - wirdorange.org
+      - xn--3-0fa.at
+      - 5.208.106.89.in-addr.arpa
+      - 5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.e.3.0.2.0.a.2.ip6.arpa
+
+  - name: realraum
+    masters:
+      - 89.106.211.33
+      - 2a02:3e0:4000:1::1
+    zones:
+      - realraum.at
+      - r3.at
+      - hack-challenge.at
+
+  - name: funkfeuer
+    masters:
+      - 193.33.150.114
+    zones:
+      - ffgraz.net
+      - graz.funkfeuer.at
+      - 10.in-addr.arpa
+      - 150.33.193.in-addr.arpa
+      - 151.33.193.in-addr.arpa
diff --git a/roles/bind/defaults/main.yml b/roles/bind/defaults/main.yml
new file mode 100644
index 00000000..e5b4c688
--- /dev/null
+++ b/roles/bind/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+## options
+
+# bind_option_empty_zones_enable: yes
+# bind_option_allow_transfer: []
+# bind_option_allow_recursion: []
+# bind_option_notify: no
+
+
+## zone configs
+
+# bind_empty_onion_zone: no
+# bind_master_zones: ...
+# bind_slave_zones: ...
diff --git a/roles/bind/handlers/main.yml b/roles/bind/handlers/main.yml
new file mode 100644
index 00000000..1bb588c7
--- /dev/null
+++ b/roles/bind/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload bind
+  systemd:
+    name: bind9
+    state: reloaded
diff --git a/roles/bind/tasks/main.yml b/roles/bind/tasks/main.yml
new file mode 100644
index 00000000..92e37e6a
--- /dev/null
+++ b/roles/bind/tasks/main.yml
@@ -0,0 +1,109 @@
+---
+- name: install bind
+  apt:
+    name: bind9
+    state: present
+
+- name: set bind options
+  blockinfile:
+    path: /etc/bind/named.conf.options
+    block: |
+      {% if bind_option_empty_zones_enable is defined %}
+              empty-zones-enable {% if bind_option_empty_zones_enable %}yes{% else %}no{% endif %};
+      {% endif %}
+      {% if bind_option_notify is defined %}
+              notify {% if bind_option_notify %}yes{% else %}no{% endif %};
+      {% endif %}
+      {% if bind_option_allow_transfer is defined %}
+
+              allow-transfer {
+      {%   for item in bind_option_allow_transfer %}
+                      {{ item }};
+      {%   endfor %}
+              };
+      {% endif %}
+      {% if bind_option_allow_recursion is defined %}
+
+              allow-recursion {
+      {%   for item in bind_option_allow_recursion %}
+                      {{ item }};
+      {%   endfor %}
+              };
+      {% endif %}
+    insertbefore: '};'
+    marker: "        // {mark} ansible managed block"
+  notify: reload bind
+
+
+- name: add empty .onion zone
+  when: bind_empty_onion_zone
+  copy:
+    dest: /etc/bind/named.conf.onion
+    content: |
+      // block .onion addresses
+      zone "onion" {
+              type master;
+              file "/etc/bind/db.empty";
+              notify no;
+      };
+  notify: reload bind
+
+- name: remove empty .onion zone
+  when: not bind_empty_onion_zone
+  file:
+    path: /etc/bind/named.conf.onion
+    state: absent
+  notify: reload bind
+
+- name: enable/disable empty .onion zone
+  lineinfile:
+    path: /etc/bind/named.conf
+    line: 'include "/etc/bind/named.conf.onion";'
+    state: "{% if bind_empty_onion_zone %}present{% else %}absent{% endif %}"
+  notify: reload bind
+
+
+- name: add slave zone configuration
+  when: bind_slave_zones is defined
+  template:
+    src: slave-zones.j2
+    dest: /etc/bind/named.conf.slave-zones
+  notify: reload bind
+
+- name: remove slave zone configuration
+  when: bind_slave_zones is not defined
+  file:
+    path: /etc/bind/named.conf.slave-zones
+    state: absent
+  notify: reload bind
+
+- name: enable/disable slave zone configuration
+  lineinfile:
+    path: /etc/bind/named.conf
+    line: 'include "/etc/bind/named.conf.slave-zones";'
+    state: "{% if bind_slave_zones is defined %}present{% else %}absent{% endif %}"
+  notify: reload bind
+
+
+# - name: add master zone configuration
+#   when: bind_master_zones is defined
+#   template:
+#     src: master-zones.j2
+#     dest: /etc/bind/named.conf.master-zones
+#   notify: reload bind
+
+# - name: remove master zone configuration
+#   when: bind_master_zones is not defined
+#   file:
+#     path: /etc/bind/named.conf.master-zones
+#     state: absent
+#   notify: reload bind
+
+# ## TODO: install zone files for master zones
+
+# - name: enable/disable master zone configuration
+#   lineinfile:
+#     path: /etc/bind/named.conf
+#     line: 'include "/etc/bind/named.conf.master-zones";'
+#     state: "{% if bind_master_zones is defined %}present{% else %}absent{% endif %}"
+#   notify: reload bind
diff --git a/roles/bind/templates/slave-zones.j2 b/roles/bind/templates/slave-zones.j2
new file mode 100644
index 00000000..da9ba699
--- /dev/null
+++ b/roles/bind/templates/slave-zones.j2
@@ -0,0 +1,22 @@
+// Masters
+
+{% for group in bind_slave_zones %}
+masters {{ group.name }} {
+{%   for master in group.masters %}
+        {{ master }};
+{%   endfor %}
+};
+
+{% endfor %}
+
+// Zones
+{% for group in bind_slave_zones %}
+{%   for zone in group.zones %}
+
+zone "{{ zone }}" {
+        type slave;
+        file "/var/cache/bind/db.{{ zone }}.sec";
+        masters { {{ group.name }}; };
+};
+{%   endfor %}
+{% endfor %}
-- 
cgit v1.2.3