# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths. - name: set chroot variables ansible.builtin.set_fact: bind_log_file: /var/log/bind.log bind_query_file: /var/log/bind_queries.log bind_cache_dir: /var/cache/bind bind_statistics_file: /var/run/named.stats bind_chroot_path: /var/chroot-bind when: bind_chroot_set | bool - name: Check AppArmor ansible.builtin.shell: cmd: systemctl is-active apparmor || systemctl is-enabled apparmor failed_when: False changed_when: False check_mode: no register: check_apparmor - name: configure apparmor ansible.builtin.copy: src: apparmor.usr.sbin.named dest: /etc/apparmor.d/local/usr.sbin.named mode: "0644" owner: root force: true backup: yes notify: restart apparmor when: check_apparmor.rc == 0 - name: package are installed ansible.builtin.apt: name: - bind9 - dnstop state: present - ansible.builtin.include: authoritative.yml when: bind_authoritative_server | bool - ansible.builtin.include: recursive.yml when: bind_recursive_server | bool - name: Create systemd service for Debian 8 (Jessie) ansible.builtin.template: src: bind9.service.jessie.j2 dest: "{{ bind_systemd_service_path }}" owner: root group: root mode: "0644" force: true notify: - reload systemd - restart bind when: ansible_distribution_release == "jessie" - name: "touch {{ bind_log_file }} if non chroot" ansible.builtin.file: path: "{{ bind_log_file }}" owner: bind group: adm mode: "0640" state: touch when: not (bind_chroot_set | bool) - name: "touch {{ bind_query_file }} if non chroot" ansible.builtin.file: path: "{{ bind_query_file }}" owner: bind group: adm mode: "0640" state: touch when: not (bind_chroot_set | bool) - name: send chroot-bind.sh in /root ansible.builtin.copy: src: chroot-bind.sh dest: /root/chroot-bind.sh mode: "0700" owner: root force: true backup: yes when: bind_chroot_set | bool - name: exec chroot-bind.sh ansible.builtin.command: cmd: "/root/chroot-bind.sh" register: chrootbind_run changed_when: False when: bind_chroot_set | bool - ansible.builtin.debug: var: chrootbind_run.stdout_lines when: - bind_chroot_set | bool - chrootbind_run.stdout | length > 0 - name: Modify OPTIONS in /etc/default/bind9 for chroot (until Buster) ansible.builtin.replace: dest: /etc/default/bind9 regexp: '^OPTIONS=.*' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' notify: restart bind when: - bind_chroot_set | bool - ansible_distribution_major_version is version('11', '<') - name: Modify OPTIONS in /etc/default/named for chroot (since Bullseye) ansible.builtin.replace: dest: /etc/default/named regexp: '^OPTIONS=.*' replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"' notify: restart bind when: - bind_chroot_set | bool - ansible_distribution_major_version is version('11', '>=') - name: Create mount target directory for chroot (since Bookworm) ansible.builtin.file: path: /var/chroot-bind/run/systemd/journal state: directory owner: bind group: bind notify: restart bind when: - bind_chroot_set | bool - ansible_distribution_major_version is version('12', '>=') - name: Create mount targets for chroot (since Bookworm) ansible.builtin.file: path: '{{ item }}' state: touch owner: bind group: bind loop: - /var/chroot-bind/run/systemd/journal/socket - /var/chroot-bind/run/systemd/journal/stdout - /var/chroot-bind/run/systemd/notify notify: restart bind when: - bind_chroot_set | bool - ansible_distribution_major_version is version('12', '>=') - name: Set up bind mount for chroot (since Bookworm) ansible.posix.mount: src: "{{ item }}" path: "/var/chroot-bind{{ item }}" opts: bind state: mounted fstype: none loop: - /run/systemd/journal/socket - /run/systemd/journal/stdout - /run/systemd/notify notify: restart bind when: - bind_chroot_set | bool - ansible_distribution_major_version is version('12', '>=') - name: logrotate for bind ansible.builtin.template: src: logrotate_bind.j2 dest: /etc/logrotate.d/bind9 owner: root group: root mode: "0644" force: true notify: restart bind - ansible.builtin.include: munin.yml