bind: refactor role
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
* queries log can be enabled or disabled * split tasks * check if AppArmor is present * don't install Munin plugin whose data file is not present * remove example ACL in authoritative configuration
This commit is contained in:
parent
2c1db6a222
commit
8cbe837147
13 changed files with 75 additions and 46 deletions
|
@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
|
||||
* Use systemd module instead of command
|
||||
* Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
|
||||
* bind: use systemd module
|
||||
* bind: refactor role
|
||||
* evolinux-users: Update sudoers template to remove commands allowed without password
|
||||
* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …)
|
||||
* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change
|
||||
|
@ -42,7 +42,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
|||
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix.
|
||||
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
|
||||
* php: install using sury repositories on bullseye
|
||||
* bind: fix fail in check mode
|
||||
|
||||
### Removed
|
||||
|
||||
|
|
|
@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
|
|||
bind_statistics_file: /var/run/named.stats
|
||||
bind_log_file: /var/log/bind.log
|
||||
bind_query_file: /var/log/bind_queries.log
|
||||
bind_query_file_enabled: False
|
||||
bind_cache_dir: /var/cache/bind
|
||||
|
|
|
@ -13,7 +13,6 @@
|
|||
systemd:
|
||||
name: bind9
|
||||
state: restarted
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: restart munin-node
|
||||
systemd:
|
||||
|
|
11
bind/tasks/authoritative.yml
Normal file
11
bind/tasks/authoritative.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: Set bind configuration for authoritative server
|
||||
template:
|
||||
src: named.conf.options_authoritative.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
|
@ -8,6 +8,13 @@
|
|||
bind_chroot_path: /var/chroot-bind
|
||||
when: bind_chroot_set | bool
|
||||
|
||||
- name: Check AppArmor
|
||||
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
|
||||
failed_when: False
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: check_apparmor
|
||||
|
||||
- name: configure apparmor
|
||||
template:
|
||||
src: apparmor.usr.sbin.named.j2
|
||||
|
@ -17,6 +24,7 @@
|
|||
mode: '0644'
|
||||
force: yes
|
||||
notify: restart apparmor
|
||||
when: check_apparmor.rc == 0
|
||||
|
||||
- name: package are installed
|
||||
apt:
|
||||
|
@ -25,49 +33,23 @@
|
|||
- dnstop
|
||||
state: present
|
||||
|
||||
- name: Set bind configuration for recursive server
|
||||
template:
|
||||
src: named.conf.options_recursive.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
when: bind_recursive_server | bool
|
||||
|
||||
- name: enable zones.rfc1918 for recursive server
|
||||
lineinfile:
|
||||
dest: /etc/bind/named.conf.local
|
||||
line: 'include "/etc/bind/zones.rfc1918";'
|
||||
regexp: "zones.rfc1918"
|
||||
notify: restart bind
|
||||
when:
|
||||
- bind_recursive_server | bool
|
||||
- not ansible_check_mode
|
||||
|
||||
- name: Set bind configuration for authoritative server
|
||||
template:
|
||||
src: named.conf.options_authoritative.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
- include: authoritative.yml
|
||||
when: bind_authoritative_server | bool
|
||||
|
||||
- name: Create systemd service
|
||||
- include: recursive.yml
|
||||
when: bind_recursive_server | bool
|
||||
|
||||
- name: Create systemd service for Debian 8 (Jessie)
|
||||
template:
|
||||
src: bind9.service.j2
|
||||
src: bind9.service.jessie.j2
|
||||
dest: "{{ bind_systemd_service_path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart bind
|
||||
- reload systemd
|
||||
- restart bind
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "touch {{ bind_log_file }} if non chroot"
|
||||
|
|
|
@ -19,7 +19,7 @@
|
|||
- bind9_rndc
|
||||
notify: restart munin-node
|
||||
when:
|
||||
- bind_authoritative_server
|
||||
- bind_authoritative_server | bool
|
||||
- munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
|
@ -32,10 +32,10 @@
|
|||
state: link
|
||||
loop:
|
||||
- bind9
|
||||
- bind9_rndc
|
||||
notify: restart munin-node
|
||||
when:
|
||||
- bind_recursive_server
|
||||
- bind_recursive_server | bool
|
||||
- bind_query_file_enabled | bool
|
||||
- munin_node_plugins_config.stat.exists
|
||||
tags:
|
||||
- bind
|
||||
|
|
19
bind/tasks/recursive.yml
Normal file
19
bind/tasks/recursive.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
|
||||
|
||||
- name: Set bind configuration for recursive server
|
||||
template:
|
||||
src: named.conf.options_recursive.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: bind
|
||||
group: bind
|
||||
mode: "0644"
|
||||
force: yes
|
||||
notify: restart bind
|
||||
|
||||
- name: enable zones.rfc1918 for recursive server
|
||||
lineinfile:
|
||||
dest: /etc/bind/named.conf.local
|
||||
line: 'include "/etc/bind/zones.rfc1918";'
|
||||
regexp: "zones.rfc1918"
|
||||
notify: restart bind
|
|
@ -56,7 +56,9 @@
|
|||
# some people like to put logs in /var/log/named/ instead of having
|
||||
# syslog do the heavy lifting.
|
||||
{{ bind_log_file }} rw,
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
{{ bind_query_file }} rw,
|
||||
{% endif %}
|
||||
|
||||
# gssapi
|
||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{% if bind_chroot_set %}
|
||||
{% if bind_chroot_set | bool %}
|
||||
{{ bind_chroot_path }}{{ bind_log_file }} {
|
||||
{% else %}
|
||||
{{ bind_log_file }} {
|
||||
|
|
|
@ -1,9 +1,17 @@
|
|||
[bind*]
|
||||
user root
|
||||
|
||||
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
{% if bind_chroot_set | bool %}
|
||||
env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
|
||||
{% else %}
|
||||
env.logfile {{ bind_query_file }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if bind_authoritative_server %}
|
||||
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
|
||||
{% endif %}
|
||||
|
||||
env.MUNIN_PLUGSTATE /var/lib/munin
|
||||
timeout 120
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
acl "foo" {
|
||||
::ffff:192.0.2.21; 192.0.2.21;
|
||||
2001:db8::21;
|
||||
};
|
||||
// acl "foo" {
|
||||
// ::ffff:192.0.2.21; 192.0.2.21;
|
||||
// 2001:db8::21;
|
||||
// };
|
||||
|
||||
options {
|
||||
directory "{{ bind_cache_dir }}";
|
||||
|
@ -20,16 +20,20 @@ options {
|
|||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
category queries { query_logging; };
|
||||
{% endif %}
|
||||
|
||||
channel default_file {
|
||||
file "{{ bind_log_file }}";
|
||||
severity info;
|
||||
};
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
channel query_logging {
|
||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||
print-category yes;
|
||||
print-severity yes;
|
||||
print-time yes;
|
||||
};
|
||||
{% endif %}
|
||||
};
|
||||
|
|
|
@ -9,16 +9,20 @@ options {
|
|||
|
||||
logging {
|
||||
category default { default_file; };
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
category queries { query_logging; };
|
||||
{% endif %}
|
||||
|
||||
channel default_file {
|
||||
file "{{ bind_log_file }}";
|
||||
severity info;
|
||||
};
|
||||
{% if bind_query_file_enabled | bool %}
|
||||
channel query_logging {
|
||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||
print-category yes;
|
||||
print-severity yes;
|
||||
print-time yes;
|
||||
};
|
||||
{% endif %}
|
||||
};
|
||||
|
|
Loading…
Add table
Reference in a new issue