bind: refactor role
gitea/ansible-roles/pipeline/head This commit looks good Details

* queries log can be enabled or disabled
* split tasks
* check if AppArmor is present
* don't install Munin plugin whose data file is not present
* remove example ACL in authoritative configuration
This commit is contained in:
Jérémy Lecour 2023-02-21 18:30:09 +01:00 committed by Jérémy Lecour
parent 2c1db6a222
commit 8cbe837147
13 changed files with 75 additions and 46 deletions

View File

@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
* Use systemd module instead of command
* Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
* bind: use systemd module
* bind: refactor role
* evolinux-users: Update sudoers template to remove commands allowed without password
* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …)
* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change
@ -42,7 +42,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix.
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
* php: install using sury repositories on bullseye
* bind: fix fail in check mode
### Removed

View File

@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
bind_statistics_file: /var/run/named.stats
bind_log_file: /var/log/bind.log
bind_query_file: /var/log/bind_queries.log
bind_query_file_enabled: False
bind_cache_dir: /var/cache/bind

View File

@ -13,7 +13,6 @@
systemd:
name: bind9
state: restarted
when: not ansible_check_mode
- name: restart munin-node
systemd:

View File

@ -0,0 +1,11 @@
---
- name: Set bind configuration for authoritative server
template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind

View File

@ -8,6 +8,13 @@
bind_chroot_path: /var/chroot-bind
when: bind_chroot_set | bool
- name: Check AppArmor
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
failed_when: False
changed_when: False
check_mode: no
register: check_apparmor
- name: configure apparmor
template:
src: apparmor.usr.sbin.named.j2
@ -17,6 +24,7 @@
mode: '0644'
force: yes
notify: restart apparmor
when: check_apparmor.rc == 0
- name: package are installed
apt:
@ -25,49 +33,23 @@
- dnstop
state: present
- name: Set bind configuration for recursive server
template:
src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
when: bind_recursive_server | bool
- name: enable zones.rfc1918 for recursive server
lineinfile:
dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind
when:
- bind_recursive_server | bool
- not ansible_check_mode
- name: Set bind configuration for authoritative server
template:
src: named.conf.options_authoritative.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
- include: authoritative.yml
when: bind_authoritative_server | bool
- name: Create systemd service
- include: recursive.yml
when: bind_recursive_server | bool
- name: Create systemd service for Debian 8 (Jessie)
template:
src: bind9.service.j2
src: bind9.service.jessie.j2
dest: "{{ bind_systemd_service_path }}"
owner: root
group: root
mode: "0644"
force: yes
notify:
- reload systemd
- restart bind
- reload systemd
- restart bind
when: ansible_distribution_release == "jessie"
- name: "touch {{ bind_log_file }} if non chroot"

View File

@ -19,7 +19,7 @@
- bind9_rndc
notify: restart munin-node
when:
- bind_authoritative_server
- bind_authoritative_server | bool
- munin_node_plugins_config.stat.exists
tags:
- bind
@ -32,10 +32,10 @@
state: link
loop:
- bind9
- bind9_rndc
notify: restart munin-node
when:
- bind_recursive_server
- bind_recursive_server | bool
- bind_query_file_enabled | bool
- munin_node_plugins_config.stat.exists
tags:
- bind

19
bind/tasks/recursive.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Set bind configuration for recursive server
template:
src: named.conf.options_recursive.j2
dest: /etc/bind/named.conf.options
owner: bind
group: bind
mode: "0644"
force: yes
notify: restart bind
- name: enable zones.rfc1918 for recursive server
lineinfile:
dest: /etc/bind/named.conf.local
line: 'include "/etc/bind/zones.rfc1918";'
regexp: "zones.rfc1918"
notify: restart bind

View File

@ -56,7 +56,9 @@
# some people like to put logs in /var/log/named/ instead of having
# syslog do the heavy lifting.
{{ bind_log_file }} rw,
{% if bind_query_file_enabled | bool %}
{{ bind_query_file }} rw,
{% endif %}
# gssapi
/var/lib/sss/pubconf/krb5.include.d/** r,

View File

@ -1,4 +1,4 @@
{% if bind_chroot_set %}
{% if bind_chroot_set | bool %}
{{ bind_chroot_path }}{{ bind_log_file }} {
{% else %}
{{ bind_log_file }} {

View File

@ -1,9 +1,17 @@
[bind*]
user root
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
{% if bind_query_file_enabled | bool %}
{% if bind_chroot_set | bool %}
env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
{% else %}
env.logfile {{ bind_query_file }}
{% endif %}
{% endif %}
{% if bind_authoritative_server %}
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
{% endif %}
env.MUNIN_PLUGSTATE /var/lib/munin
timeout 120

View File

@ -1,7 +1,7 @@
acl "foo" {
::ffff:192.0.2.21; 192.0.2.21;
2001:db8::21;
};
// acl "foo" {
// ::ffff:192.0.2.21; 192.0.2.21;
// 2001:db8::21;
// };
options {
directory "{{ bind_cache_dir }}";
@ -20,16 +20,20 @@ options {
logging {
category default { default_file; };
{% if bind_query_file_enabled | bool %}
category queries { query_logging; };
{% endif %}
channel default_file {
file "{{ bind_log_file }}";
severity info;
};
{% if bind_query_file_enabled | bool %}
channel query_logging {
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
{% endif %}
};

View File

@ -9,16 +9,20 @@ options {
logging {
category default { default_file; };
{% if bind_query_file_enabled | bool %}
category queries { query_logging; };
{% endif %}
channel default_file {
file "{{ bind_log_file }}";
severity info;
};
{% if bind_query_file_enabled | bool %}
channel query_logging {
file "{{ bind_query_file }}" versions 2 size 128M;
print-category yes;
print-severity yes;
print-time yes;
};
{% endif %}
};