From c6804e73e78737bb5ea98ae23f76b2c37ec20988 Mon Sep 17 00:00:00 2001
From: Patrick Marchand <pmarchand+git@evolix.ca>
Date: Wed, 9 Oct 2019 11:47:07 -0400
Subject: [PATCH] Adapted the bind role to respect the evocheck warnings

The required munin plugins and the logging necessary for them to work is
now activated depending on the type of resolver and the logrotate file is
changed from bind to bind9.
---
 CHANGELOG.md                                  |  6 +++++
 bind/tasks/main.yml                           |  8 +++---
 bind/tasks/munin.yml                          | 25 ++++++++++++++++---
 bind/templates/munin-env_bind9.j2             |  2 ++
 .../templates/named.conf.options_recursive.j2 | 18 +++++++++----
 5 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9454b37c..dcec3d69 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,9 @@ The **patch** part changes incrementally at each release.
 * redis: rewrite of the role (separate instances, better systemd units…)
 * webapps/evoadmin-web Overload templates if needed
 * webapps/evoadmin-web Add an htpasswd to evoadmin if you cant use an apache IP whitelist
+* bind: enable query logging for recursive resolvers
+* bind: enable logrotate for recursive resolvers
+* bind: enable bind9 munin plugin for recursive resolvers
 
 ### Changed
 * elasticsearch: listen on local interface only by default
@@ -41,6 +44,8 @@ The **patch** part changes incrementally at each release.
 * lxc: remove useless loop in apt execution
 * lxc: update our default template to be compatible with Debian 10
 * lxc: rely on lxc_container module instead of command module
+* bind: the munin task was present, but not included
+* bind: change name of logrotate file to bind9
 
 ### Fixed
 * lxc-php: Don't remove the default pool
@@ -49,6 +54,7 @@ The **patch** part changes incrementally at each release.
 * tomcat: fix typo for default tomcat_version
 * evoadmin-web: Put the php config at the right place for Buster
 
+
 ### Security
 
 ## [9.10.1] - 2019-06-21
diff --git a/bind/tasks/main.yml b/bind/tasks/main.yml
index 8fdf1692..03780435 100644
--- a/bind/tasks/main.yml
+++ b/bind/tasks/main.yml
@@ -65,7 +65,7 @@
     group: adm
     mode: "0640"
     state: touch
-  when: bind_authoritative_server and bind_chroot_set == False
+  when: bind_chroot_set == False
 
 - name: send chroot-bind.sh in /root
   copy:
@@ -98,7 +98,7 @@
 - name: logrotate for non chroot bind
   template:
     src: logrotate_bind
-    dest: /etc/logrotate.d/bind
+    dest: /etc/logrotate.d/bind9
     owner: root
     group: root
     mode: "0644"
@@ -109,10 +109,12 @@
 - name: logrotate for chroot bind
   template:
     src: logrotate_bind_chroot.j2
-    dest: /etc/logrotate.d/bind
+    dest: /etc/logrotate.d/bind9
     owner: root
     group: root
     mode: "0644"
     force: yes
   notify: restart bind
   when: bind_chroot_set
+
+- include: munin.yml
diff --git a/bind/tasks/munin.yml b/bind/tasks/munin.yml
index a31e6b06..5f9da280 100644
--- a/bind/tasks/munin.yml
+++ b/bind/tasks/munin.yml
@@ -8,9 +8,8 @@
   tags:
     - bind
     - munin
-  when: bind_authoritative_server
 
-- name: Enable munin plugins
+- name: Enable munin plugins for authoritative server
   file:
     src: "/usr/share/munin/plugins/{{ item }}"
     dest: "/etc/munin/plugins/{{ item }}"
@@ -19,7 +18,25 @@
     - bind9
     - bind9_rndc
   notify: restart munin-node
-  when: bind_authoritative_server and munin_node_plugins_config.stat.exists
+  when:
+    - bind_authoritative_server
+    - munin_node_plugins_config.stat.exists
+  tags:
+    - bind
+    - munin
+
+- name: Enable munin plugins for recursive server
+  file:
+    src: "/usr/share/munin/plugins/{{ item }}"
+    dest: "/etc/munin/plugins/{{ item }}"
+    state: link
+  with_items:
+    - bind9
+    - bind9_rndc
+  notify: restart munin-node
+  when:
+    - bind_recursive_server
+    - munin_node_plugins_config.stat.exists
   tags:
     - bind
     - munin
@@ -33,7 +50,7 @@
     mode: "0644"
     force: yes
   notify: restart munin-node
-  when: bind_authoritative_server and munin_node_plugins_config.stat.exists
+  when: munin_node_plugins_config.stat.exists
   tags:
     - bind
     - munin
diff --git a/bind/templates/munin-env_bind9.j2 b/bind/templates/munin-env_bind9.j2
index f1d4b41e..5783f889 100644
--- a/bind/templates/munin-env_bind9.j2
+++ b/bind/templates/munin-env_bind9.j2
@@ -1,6 +1,8 @@
 [bind*]
 user root
 env.logfile {{ bind_query_file }}
+{% if bind_authoritative_server %}
 env.querystats {{ bind_chroot_path }}{{ bind_statistics_file }}
+{% endif %}
 env.MUNIN_PLUGSTATE /var/lib/munin
 timeout 120
diff --git a/bind/templates/named.conf.options_recursive.j2 b/bind/templates/named.conf.options_recursive.j2
index 555230d0..748f19b2 100644
--- a/bind/templates/named.conf.options_recursive.j2
+++ b/bind/templates/named.conf.options_recursive.j2
@@ -8,9 +8,17 @@ options {
 };
 
 logging {
-        category default { default_file; };
-        channel default_file {
-                file "/var/log/bind.log";
-                severity info;
-        };
+    category default { default_file; };
+    category queries { query_logging; };
+
+    channel default_file {
+        file "/var/log/bind.log";
+        severity info;
+    };
+    channel query_logging {
+        file "/var/log/bind_queries.log" versions 2 size 128M;
+        print-category yes;
+        print-severity yes;
+        print-time yes;
+    };
 };