bind: refactor role

* queries log can be enabled or disabled
* split tasks
* check if AppArmor is present
* don't install Munin plugin whose data file is not present
* remove example ACL in authoritative configuration

CHANGELOG.md

@@ -22,7 +22,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * Use systemd module instead of command
 * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
-* bind: use systemd module
+* bind: refactor role
 * evolinux-users: Update sudoers template to remove commands allowed without password
 * nagios-nrpe : Rewrite check_vrrpd for a better check (check rp_filter, vrrpd and uvrrpd compatible, use arguments, …)
 * openvpn: Change check_openvpn destination file to comply with recent EvoBSD change
@@ -42,7 +42,6 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * clamav: set `MaxConnectionQueueLength` to its default value (200), custom (15) was way too small and caused recurrent connections fail in Postfix.
 * postfix (packmail only): disable `concurrency_failed_cohort_limit` for destination smtp-amavis to prevent the suspension of this destination when Amavis fails to answer. Indeed, we configure the suspension delay quite long in `minimal_backoff_time` (2h) and `maximal_backoff_time` (6h) to reduce the risk of ban from external SMTPs.
 * php: install using sury repositories on bullseye
-* bind: fix fail in check mode
 
 ### Removed
 

bind/defaults/main.yml

@@ -8,4 +8,5 @@ bind_systemd_service_path: /etc/systemd/system/bind9.service
 bind_statistics_file: /var/run/named.stats
 bind_log_file: /var/log/bind.log
 bind_query_file: /var/log/bind_queries.log
+bind_query_file_enabled: False
 bind_cache_dir: /var/cache/bind

bind/handlers/main.yml

@@ -13,7 +13,6 @@
   systemd:
     name: bind9
     state: restarted
-  when: not ansible_check_mode
 
 - name: restart munin-node
   systemd:

bind/tasks/authoritative.yml

@@ -0,0 +1,11 @@
+---
+
+- name: Set bind configuration for authoritative server
+  template:
+    src: named.conf.options_authoritative.j2
+    dest: /etc/bind/named.conf.options
+    owner: bind
+    group: bind
+    mode: "0644"
+    force: yes
+  notify: restart bind

bind/tasks/main.yml

@@ -8,6 +8,13 @@
      bind_chroot_path: /var/chroot-bind
   when: bind_chroot_set | bool
 
+- name: Check AppArmor
+  shell: systemctl is-active apparmor || systemctl is-enabled apparmor
+  failed_when: False
+  changed_when: False
+  check_mode: no
+  register: check_apparmor
+
 - name: configure apparmor
   template:
     src: apparmor.usr.sbin.named.j2
@@ -17,6 +24,7 @@
     mode: '0644'
     force: yes
   notify: restart apparmor
+  when: check_apparmor.rc == 0
 
 - name: package are installed
   apt:
@@ -25,49 +33,23 @@
       - dnstop
     state: present
 
-- name: Set bind configuration for recursive server
+- include: authoritative.yml
-  template:
-    src: named.conf.options_recursive.j2
-    dest: /etc/bind/named.conf.options
-    owner: bind
-    group: bind
-    mode: "0644"
-    force: yes
-  notify: restart bind
-  when: bind_recursive_server | bool
-
-- name: enable zones.rfc1918 for recursive server
-  lineinfile:
-    dest: /etc/bind/named.conf.local
-    line: 'include "/etc/bind/zones.rfc1918";'
-    regexp: "zones.rfc1918"
-  notify: restart bind
-  when:
-    - bind_recursive_server | bool
-    - not ansible_check_mode
-
-- name: Set bind configuration for authoritative server
-  template:
-    src: named.conf.options_authoritative.j2
-    dest: /etc/bind/named.conf.options
-    owner: bind
-    group: bind
-    mode: "0644"
-    force: yes
-  notify: restart bind
   when: bind_authoritative_server | bool
 
-- name: Create systemd service
+- include: recursive.yml
+  when: bind_recursive_server | bool
+
+- name: Create systemd service for Debian 8 (Jessie)
   template:
-    src: bind9.service.j2
+    src: bind9.service.jessie.j2
     dest: "{{ bind_systemd_service_path }}"
     owner: root
     group: root
     mode: "0644"
     force: yes
   notify:
-  - reload systemd
+    - reload systemd
-  - restart bind
+    - restart bind
   when: ansible_distribution_release == "jessie"
 
 - name: "touch {{ bind_log_file }} if non chroot"

bind/tasks/munin.yml

@@ -19,7 +19,7 @@
     - bind9_rndc
   notify: restart munin-node
   when:
-    - bind_authoritative_server
+    - bind_authoritative_server | bool
     - munin_node_plugins_config.stat.exists
   tags:
     - bind
@@ -32,10 +32,10 @@
     state: link
   loop:
     - bind9
-    - bind9_rndc
   notify: restart munin-node
   when:
-    - bind_recursive_server
+    - bind_recursive_server | bool
+    - bind_query_file_enabled | bool
     - munin_node_plugins_config.stat.exists
   tags:
     - bind

bind/tasks/recursive.yml

@@ -0,0 +1,19 @@
+---
+
+
+- name: Set bind configuration for recursive server
+  template:
+    src: named.conf.options_recursive.j2
+    dest: /etc/bind/named.conf.options
+    owner: bind
+    group: bind
+    mode: "0644"
+    force: yes
+  notify: restart bind
+
+- name: enable zones.rfc1918 for recursive server
+  lineinfile:
+    dest: /etc/bind/named.conf.local
+    line: 'include "/etc/bind/zones.rfc1918";'
+    regexp: "zones.rfc1918"
+  notify: restart bind

bind/templates/apparmor.usr.sbin.named.j2

@@ -56,7 +56,9 @@
   # some people like to put logs in /var/log/named/ instead of having
   # syslog do the heavy lifting.
   {{ bind_log_file }} rw,
+  {% if bind_query_file_enabled | bool %}
   {{ bind_query_file }} rw,
+  {% endif %}
 
   # gssapi
   /var/lib/sss/pubconf/krb5.include.d/** r,

bind/templates/logrotate_bind.j2

@@ -1,4 +1,4 @@
-{% if bind_chroot_set %}
+{% if bind_chroot_set | bool %}
 {{ bind_chroot_path }}{{ bind_log_file }} {
 {% else %}
 {{ bind_log_file }} {

bind/templates/munin-env_bind9.j2

@@ -1,9 +1,17 @@
 [bind*]
 user root
 
-env.logfile {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_query_file }}
+{% if bind_query_file_enabled | bool %}
+{% if bind_chroot_set | bool %}
+env.logfile {{ bind_chroot_path }}{{ bind_query_file }}
+{% else %}
+env.logfile {{ bind_query_file }}
+{% endif %}
+{% endif %}
+
 {% if bind_authoritative_server %}
 env.querystats {% if bind_chroot_set %}{{ bind_chroot_path }}{% endif %}{{ bind_statistics_file }}
 {% endif %}
+
 env.MUNIN_PLUGSTATE /var/lib/munin
 timeout 120

bind/templates/named.conf.options_authoritative.j2

@@ -1,7 +1,7 @@
-acl "foo" {
+// acl "foo" {
-    ::ffff:192.0.2.21; 192.0.2.21;
+//     ::ffff:192.0.2.21; 192.0.2.21;
-    2001:db8::21;
+//     2001:db8::21;
-};
+// };
 
 options {
       directory "{{ bind_cache_dir }}";
@@ -20,16 +20,20 @@ options {
 
 logging {
     category default { default_file; };
+{% if bind_query_file_enabled | bool %}
     category queries { query_logging; };
+{% endif %}
 
     channel default_file {
         file "{{ bind_log_file }}";
         severity info;
     };
+{% if bind_query_file_enabled | bool %}
     channel query_logging {
         file "{{ bind_query_file }}" versions 2 size 128M;
         print-category yes;
         print-severity yes;
         print-time yes;
     };
+{% endif %}
 };

bind/templates/named.conf.options_recursive.j2

@@ -9,16 +9,20 @@ options {
 
 logging {
     category default { default_file; };
+{% if bind_query_file_enabled | bool %}
     category queries { query_logging; };
+{% endif %}
 
     channel default_file {
         file "{{ bind_log_file }}";
         severity info;
     };
+{% if bind_query_file_enabled | bool %}
     channel query_logging {
         file "{{ bind_query_file }}" versions 2 size 128M;
         print-category yes;
         print-severity yes;
         print-time yes;
     };
+{% endif %}
 };