From d5cb307d443301e96a06c80e4608ec7e9d015e0e Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 19 Jun 2022 00:03:22 +0200
Subject: import improved bind role from helsinki repo

---
 roles/network/bind/defaults/main.yml         |  35 +++++++
 roles/network/bind/handlers/main.yml         |   5 +
 roles/network/bind/tasks/main.yml            | 151 +++++++++++++++++++++++++++
 roles/network/bind/templates/master-zones.j2 |   8 ++
 roles/network/bind/templates/slave-zones.j2  |  22 ++++
 5 files changed, 221 insertions(+)
 create mode 100644 roles/network/bind/defaults/main.yml
 create mode 100644 roles/network/bind/handlers/main.yml
 create mode 100644 roles/network/bind/tasks/main.yml
 create mode 100644 roles/network/bind/templates/master-zones.j2
 create mode 100644 roles/network/bind/templates/slave-zones.j2

(limited to 'roles/network/bind')

diff --git a/roles/network/bind/defaults/main.yml b/roles/network/bind/defaults/main.yml
new file mode 100644
index 00000000..80dbe396
--- /dev/null
+++ b/roles/network/bind/defaults/main.yml
@@ -0,0 +1,35 @@
+---
+## options
+
+# bind_option_empty_zones_enable: yes
+# bind_option_allow_query: []
+# bind_option_allow_recursion: []
+# bind_option_allow_update: []
+# bind_option_notify: '(yes|no|explicit)'
+# bind_option_also_notify: []
+# bind_option_allow_transfer: []
+
+
+## zone configs
+
+bind_empty_onion_zone: no
+
+# bind_master_zones:
+#   example.com:
+#     content: |
+#       ....
+#   foo.bar:
+#     file: path/to/file
+
+# bind_slave_zones:
+#   example:
+#     masters:
+#     - 192.0.2.1
+#     zones:
+#     - example.com
+#     - example.net
+#   foo:
+#     master:
+#     - 1.2.3.4
+#     zone:
+#     - foo.bar
diff --git a/roles/network/bind/handlers/main.yml b/roles/network/bind/handlers/main.yml
new file mode 100644
index 00000000..1bb588c7
--- /dev/null
+++ b/roles/network/bind/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload bind
+  systemd:
+    name: bind9
+    state: reloaded
diff --git a/roles/network/bind/tasks/main.yml b/roles/network/bind/tasks/main.yml
new file mode 100644
index 00000000..39f144f5
--- /dev/null
+++ b/roles/network/bind/tasks/main.yml
@@ -0,0 +1,151 @@
+---
+- name: install bind
+  apt:
+    name: bind9
+    state: present
+
+- name: set bind options
+  blockinfile:
+    path: /etc/bind/named.conf.options
+    block: |
+      {% if bind_option_empty_zones_enable is defined %}
+              empty-zones-enable {% if bind_option_empty_zones_enable %}yes{% else %}no{% endif %};
+      {% endif %}
+      {% if bind_option_allow_query is defined %}
+
+              allow-query {
+      {%   for item in bind_option_allow_query %}
+                      {{ item }};
+      {%   endfor %}
+              };
+      {% endif %}
+      {% if bind_option_allow_recursion is defined %}
+
+              allow-recursion {
+      {%   for item in bind_option_allow_recursion %}
+                      {{ item }};
+      {%   endfor %}
+              };
+      {% endif %}
+      {% if bind_option_allow_update is defined %}
+
+              allow-update {
+      {%   for item in bind_option_allow_update %}
+                      {{ item }};
+      {%   endfor %}
+              };
+      {% endif %}
+      {% if bind_option_notify is defined %}
+
+              notify {{ bind_option_notify }};
+      {% endif %}
+      {% if bind_option_also_notify is defined %}
+
+              also-notify {
+      {%   for item in bind_option_also_notify %}
+                      {{ item }};
+      {%   endfor %}
+              };
+      {% endif %}
+      {% if bind_option_allow_transfer is defined %}
+
+              allow-transfer {
+      {%   for item in bind_option_allow_transfer %}
+                      {{ item }};
+      {%   endfor %}
+              };
+      {% endif %}
+    insertbefore: '};'
+    marker: "        // {mark} ansible managed block"
+  notify: reload bind
+
+
+- name: add empty .onion zone
+  when: bind_empty_onion_zone
+  copy:
+    dest: /etc/bind/named.conf.onion
+    content: |
+      // block .onion addresses
+      zone "onion" {
+              type master;
+              file "/etc/bind/db.empty";
+              zone-statistics no;
+              notify no;
+      };
+  notify: reload bind
+
+- name: remove empty .onion zone
+  when: not bind_empty_onion_zone
+  file:
+    path: /etc/bind/named.conf.onion
+    state: absent
+  notify: reload bind
+
+- name: enable/disable empty .onion zone
+  lineinfile:
+    path: /etc/bind/named.conf
+    line: 'include "/etc/bind/named.conf.onion";'
+    state: "{{ bind_empty_onion_zone is defined | ternary('present', 'absent') }}"
+  notify: reload bind
+
+
+- name: add slave zone configuration
+  when: bind_slave_zones is defined
+  template:
+    src: slave-zones.j2
+    dest: /etc/bind/named.conf.slave-zones
+  notify: reload bind
+
+- name: remove slave zone configuration
+  when: bind_slave_zones is not defined
+  file:
+    path: /etc/bind/named.conf.slave-zones
+    state: absent
+  notify: reload bind
+
+- name: enable/disable slave zone configuration
+  lineinfile:
+    path: /etc/bind/named.conf
+    line: 'include "/etc/bind/named.conf.slave-zones";'
+    state: "{{ bind_slave_zones is defined | ternary('present', 'absent') }}"
+  notify: reload bind
+
+
+- name: add master zone configuration
+  when: bind_master_zones is defined
+  template:
+    src: master-zones.j2
+    dest: /etc/bind/named.conf.master-zones
+  notify: reload bind
+
+- name: remove master zone configuration
+  when: bind_master_zones is not defined
+  file:
+    path: /etc/bind/named.conf.master-zones
+    state: absent
+  notify: reload bind
+
+- name: install master zone files (from local file)
+  when: bind_master_zones is defined
+  loop: "{{ bind_master_zones | dict2items | selectattr('value.file', 'defined') | list }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    dest: "/etc/bind/db.{{ item.key }}"
+    src: "{{ item.value.file }}"
+
+- name: install master zone files (from content)
+  when: bind_master_zones is defined
+  loop: "{{ bind_master_zones | dict2items | selectattr('value.content', 'defined') | list }}"
+  loop_control:
+    label: "{{ item.key }}"
+  copy:
+    dest: "/etc/bind/db.{{ item.key }}"
+    content: "{{ item.value.content }}"
+
+- name: enable/disable master zone configuration
+  lineinfile:
+    path: /etc/bind/named.conf
+    line: 'include "/etc/bind/named.conf.master-zones";'
+    state: "{{ bind_master_zones is defined | ternary('present', 'absent') }}"
+  notify: reload bind
diff --git a/roles/network/bind/templates/master-zones.j2 b/roles/network/bind/templates/master-zones.j2
new file mode 100644
index 00000000..2e400711
--- /dev/null
+++ b/roles/network/bind/templates/master-zones.j2
@@ -0,0 +1,8 @@
+// Zones
+{% for zone in bind_master_zones.keys() %}
+
+zone "{{ zone }}" {
+        type master;
+        file "/etc/bind/db.{{ zone }}";
+};
+{% endfor %}
diff --git a/roles/network/bind/templates/slave-zones.j2 b/roles/network/bind/templates/slave-zones.j2
new file mode 100644
index 00000000..7cf3a9b2
--- /dev/null
+++ b/roles/network/bind/templates/slave-zones.j2
@@ -0,0 +1,22 @@
+// Masters
+
+{% for name,config in bind_slave_zones.items() %}
+masters {{ name }} {
+{%   for master in config.masters %}
+        {{ master }};
+{%   endfor %}
+};
+
+{% endfor %}
+
+// Zones
+{% for name,config in bind_slave_zones.items() %}
+{%   for zone in config.zones %}
+
+zone "{{ zone }}" {
+        type slave;
+        file "/var/cache/bind/db.{{ zone }}.sec";
+        masters { {{ name }}; };
+};
+{%   endfor %}
+{% endfor %}
-- 
cgit v1.2.3