bind: refactor role
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
* queries log can be enabled or disabled * split tasks * check if AppArmor is present * don't install Munin plugin whose data file is not present * remove example ACL in authoritative configuration
This commit is contained in:
parent
2c1db6a222
commit
8cbe837147
|
@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
|
|
||||||
* Use systemd module instead of command
|
* Use systemd module instead of command
|
||||||
* Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
|
* Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
|
||||||
* bind: use systemd module
|
* bind: refactor role
|
||||||
* evolinux-users: Update sudoers template to remove commands allowed without password
|
* evolinux-users: Update sudoers template to remove commands allowed without password
|
||||||
* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …)
|
* nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …)
|
||||||
* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change
|
* openvpn: Change check_openvpn destination file to comply with recent EvoBSD change
|
||||||
|
@ -42,7 +42,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
|
||||||
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix.
|
* clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix.
|
||||||
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
|
* postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
|
||||||
* php: install using sury repositories on bullseye
|
* php: install using sury repositories on bullseye
|
||||||
* bind: fix fail in check mode
|
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
|
|
||||||
|
|
|
@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
|
||||||
bind_statistics_file: /var/run/named.stats
|
bind_statistics_file: /var/run/named.stats
|
||||||
bind_log_file: /var/log/bind.log
|
bind_log_file: /var/log/bind.log
|
||||||
bind_query_file: /var/log/bind_queries.log
|
bind_query_file: /var/log/bind_queries.log
|
||||||
|
bind_query_file_enabled: False
|
||||||
bind_cache_dir: /var/cache/bind
|
bind_cache_dir: /var/cache/bind
|
||||||
|
|
|
@ -13,7 +13,6 @@
|
||||||
systemd:
|
systemd:
|
||||||
name: bind9
|
name: bind9
|
||||||
state: restarted
|
state: restarted
|
||||||
when: not ansible_check_mode
|
|
||||||
|
|
||||||
- name: restart munin-node
|
- name: restart munin-node
|
||||||
systemd:
|
systemd:
|
||||||
|
|
11
bind/tasks/authoritative.yml
Normal file
11
bind/tasks/authoritative.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Set bind configuration for authoritative server
|
||||||
|
template:
|
||||||
|
src: named.conf.options_authoritative.j2
|
||||||
|
dest: /etc/bind/named.conf.options
|
||||||
|
owner: bind
|
||||||
|
group: bind
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify: restart bind
|
|
@ -8,6 +8,13 @@
|
||||||
bind_chroot_path: /var/chroot-bind
|
bind_chroot_path: /var/chroot-bind
|
||||||
when: bind_chroot_set | bool
|
when: bind_chroot_set | bool
|
||||||
|
|
||||||
|
- name: Check AppArmor
|
||||||
|
shell: systemctl is-active apparmor || systemctl is-enabled apparmor
|
||||||
|
failed_when: False
|
||||||
|
changed_when: False
|
||||||
|
check_mode: no
|
||||||
|
register: check_apparmor
|
||||||
|
|
||||||
- name: configure apparmor
|
- name: configure apparmor
|
||||||
template:
|
template:
|
||||||
src: apparmor.usr.sbin.named.j2
|
src: apparmor.usr.sbin.named.j2
|
||||||
|
@ -17,6 +24,7 @@
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
force: yes
|
force: yes
|
||||||
notify: restart apparmor
|
notify: restart apparmor
|
||||||
|
when: check_apparmor.rc == 0
|
||||||
|
|
||||||
- name: package are installed
|
- name: package are installed
|
||||||
apt:
|
apt:
|
||||||
|
@ -25,49 +33,23 @@
|
||||||
- dnstop
|
- dnstop
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Set bind configuration for recursive server
|
- include: authoritative.yml
|
||||||
template:
|
|
||||||
src: named.conf.options_recursive.j2
|
|
||||||
dest: /etc/bind/named.conf.options
|
|
||||||
owner: bind
|
|
||||||
group: bind
|
|
||||||
mode: "0644"
|
|
||||||
force: yes
|
|
||||||
notify: restart bind
|
|
||||||
when: bind_recursive_server | bool
|
|
||||||
|
|
||||||
- name: enable zones.rfc1918 for recursive server
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/bind/named.conf.local
|
|
||||||
line: 'include "/etc/bind/zones.rfc1918";'
|
|
||||||
regexp: "zones.rfc1918"
|
|
||||||
notify: restart bind
|
|
||||||
when:
|
|
||||||
- bind_recursive_server | bool
|
|
||||||
- not ansible_check_mode
|
|
||||||
|
|
||||||
- name: Set bind configuration for authoritative server
|
|
||||||
template:
|
|
||||||
src: named.conf.options_authoritative.j2
|
|
||||||
dest: /etc/bind/named.conf.options
|
|
||||||
owner: bind
|
|
||||||
group: bind
|
|
||||||
mode: "0644"
|
|
||||||
force: yes
|
|
||||||
notify: restart bind
|
|
||||||
when: bind_authoritative_server | bool
|
when: bind_authoritative_server | bool
|
||||||
|
|
||||||
- name: Create systemd service
|
- include: recursive.yml
|
||||||
|
when: bind_recursive_server | bool
|
||||||
|
|
||||||
|
- name: Create systemd service for Debian 8 (Jessie)
|
||||||
template:
|
template:
|
||||||
src: bind9.service.j2
|
src: bind9.service.jessie.j2
|
||||||
dest: "{{ bind_systemd_service_path }}"
|
dest: "{{ bind_systemd_service_path }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
force: yes
|
force: yes
|
||||||
notify:
|
notify:
|
||||||
- reload systemd
|
- reload systemd
|
||||||
- restart bind
|
- restart bind
|
||||||
when: ansible_distribution_release == "jessie"
|
when: ansible_distribution_release == "jessie"
|
||||||
|
|
||||||
- name: "touch {{ bind_log_file }} if non chroot"
|
- name: "touch {{ bind_log_file }} if non chroot"
|
||||||
|
|
|
@ -19,7 +19,7 @@
|
||||||
- bind9_rndc
|
- bind9_rndc
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when:
|
when:
|
||||||
- bind_authoritative_server
|
- bind_authoritative_server | bool
|
||||||
- munin_node_plugins_config.stat.exists
|
- munin_node_plugins_config.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- bind
|
- bind
|
||||||
|
@ -32,10 +32,10 @@
|
||||||
state: link
|
state: link
|
||||||
loop:
|
loop:
|
||||||
- bind9
|
- bind9
|
||||||
- bind9_rndc
|
|
||||||
notify: restart munin-node
|
notify: restart munin-node
|
||||||
when:
|
when:
|
||||||
- bind_recursive_server
|
- bind_recursive_server | bool
|
||||||
|
- bind_query_file_enabled | bool
|
||||||
- munin_node_plugins_config.stat.exists
|
- munin_node_plugins_config.stat.exists
|
||||||
tags:
|
tags:
|
||||||
- bind
|
- bind
|
||||||
|
|
19
bind/tasks/recursive.yml
Normal file
19
bind/tasks/recursive.yml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
|
||||||
|
- name: Set bind configuration for recursive server
|
||||||
|
template:
|
||||||
|
src: named.conf.options_recursive.j2
|
||||||
|
dest: /etc/bind/named.conf.options
|
||||||
|
owner: bind
|
||||||
|
group: bind
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify: restart bind
|
||||||
|
|
||||||
|
- name: enable zones.rfc1918 for recursive server
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/bind/named.conf.local
|
||||||
|
line: 'include "/etc/bind/zones.rfc1918";'
|
||||||
|
regexp: "zones.rfc1918"
|
||||||
|
notify: restart bind
|
|
@ -56,7 +56,9 @@
|
||||||
# some people like to put logs in /var/log/named/ instead of having
|
# some people like to put logs in /var/log/named/ instead of having
|
||||||
# syslog do the heavy lifting.
|
# syslog do the heavy lifting.
|
||||||
{{ bind_log_file }} rw,
|
{{ bind_log_file }} rw,
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
{{ bind_query_file }} rw,
|
{{ bind_query_file }} rw,
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# gssapi
|
# gssapi
|
||||||
/var/lib/sss/pubconf/krb5.include.d/** r,
|
/var/lib/sss/pubconf/krb5.include.d/** r,
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{% if bind_chroot_set %}
|
{% if bind_chroot_set | bool %}
|
||||||
{{ bind_chroot_path }}{{ bind_log_file }} {
|
{{ bind_chroot_path }}{{ bind_log_file }} {
|
||||||
{% else %}
|
{% else %}
|
||||||
{{ bind_log_file }} {
|
{{ bind_log_file }} {
|
||||||
|
|
|
@ -1,9 +1,17 @@
|
||||||
[bind*]
|
[bind*]
|
||||||
user root
|
user root
|
||||||
|
|
||||||
env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
|
{% if bind_query_file_enabled | bool %}
|
||||||
|
{% if bind_chroot_set | bool %}
|
||||||
|
env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
|
||||||
|
{% else %}
|
||||||
|
env.logfile {{ bind_query_file }}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
{% if bind_authoritative_server %}
|
{% if bind_authoritative_server %}
|
||||||
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
|
env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
env.MUNIN_PLUGSTATE /var/lib/munin
|
env.MUNIN_PLUGSTATE /var/lib/munin
|
||||||
timeout 120
|
timeout 120
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
acl "foo" {
|
// acl "foo" {
|
||||||
::ffff:192.0.2.21; 192.0.2.21;
|
// ::ffff:192.0.2.21; 192.0.2.21;
|
||||||
2001:db8::21;
|
// 2001:db8::21;
|
||||||
};
|
// };
|
||||||
|
|
||||||
options {
|
options {
|
||||||
directory "{{ bind_cache_dir }}";
|
directory "{{ bind_cache_dir }}";
|
||||||
|
@ -20,16 +20,20 @@ options {
|
||||||
|
|
||||||
logging {
|
logging {
|
||||||
category default { default_file; };
|
category default { default_file; };
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
category queries { query_logging; };
|
category queries { query_logging; };
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
channel default_file {
|
channel default_file {
|
||||||
file "{{ bind_log_file }}";
|
file "{{ bind_log_file }}";
|
||||||
severity info;
|
severity info;
|
||||||
};
|
};
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
channel query_logging {
|
channel query_logging {
|
||||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||||
print-category yes;
|
print-category yes;
|
||||||
print-severity yes;
|
print-severity yes;
|
||||||
print-time yes;
|
print-time yes;
|
||||||
};
|
};
|
||||||
|
{% endif %}
|
||||||
};
|
};
|
||||||
|
|
|
@ -9,16 +9,20 @@ options {
|
||||||
|
|
||||||
logging {
|
logging {
|
||||||
category default { default_file; };
|
category default { default_file; };
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
category queries { query_logging; };
|
category queries { query_logging; };
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
channel default_file {
|
channel default_file {
|
||||||
file "{{ bind_log_file }}";
|
file "{{ bind_log_file }}";
|
||||||
severity info;
|
severity info;
|
||||||
};
|
};
|
||||||
|
{% if bind_query_file_enabled | bool %}
|
||||||
channel query_logging {
|
channel query_logging {
|
||||||
file "{{ bind_query_file }}" versions 2 size 128M;
|
file "{{ bind_query_file }}" versions 2 size 128M;
|
||||||
print-category yes;
|
print-category yes;
|
||||||
print-severity yes;
|
print-severity yes;
|
||||||
print-time yes;
|
print-time yes;
|
||||||
};
|
};
|
||||||
|
{% endif %}
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue