7c632352a0
The behaviour of the `include` module is badly defined (it try to choose between statically importing the tasks and dynamically including them) and can cause problems depending on any number of constraints (mostly if it choose the wrong behaviour). Replace it with the `import_tasks` (always statically import tasks) unless the `include` is in a loop in which case we replace it with `include_tasks` (always dynamically include tasks).
130 lines
3 KiB
YAML
130 lines
3 KiB
YAML
# Until chroot-bind.sh is migrated to ansible, we hardcode the chroot paths.
|
|
- name: set chroot variables
|
|
set_fact:
|
|
bind_log_file: /var/log/bind.log
|
|
bind_query_file: /var/log/bind_queries.log
|
|
bind_cache_dir: /var/cache/bind
|
|
bind_statistics_file: /var/run/named.stats
|
|
bind_chroot_path: /var/chroot-bind
|
|
when: bind_chroot_set | bool
|
|
|
|
- name: configure apparmor
|
|
template:
|
|
src: apparmor.usr.sbin.named.j2
|
|
dest: /etc/apparmor.d/usr.sbin.named
|
|
owner: root
|
|
group: root
|
|
mode: '0644'
|
|
force: yes
|
|
notify: restart apparmor
|
|
|
|
- name: package are installed
|
|
apt:
|
|
name:
|
|
- bind9
|
|
- dnstop
|
|
state: present
|
|
|
|
- name: Set bind configuration for recursive server
|
|
template:
|
|
src: named.conf.options_recursive.j2
|
|
dest: /etc/bind/named.conf.options
|
|
owner: bind
|
|
group: bind
|
|
mode: "0644"
|
|
force: yes
|
|
notify: restart bind
|
|
when: bind_recursive_server | bool
|
|
|
|
- name: enable zones.rfc1918 for recursive server
|
|
lineinfile:
|
|
dest: /etc/bind/named.conf.local
|
|
line: 'include "/etc/bind/zones.rfc1918";'
|
|
regexp: "zones.rfc1918"
|
|
notify: restart bind
|
|
when: bind_recursive_server | bool
|
|
|
|
- name: Set bind configuration for authoritative server
|
|
template:
|
|
src: named.conf.options_authoritative.j2
|
|
dest: /etc/bind/named.conf.options
|
|
owner: bind
|
|
group: bind
|
|
mode: "0644"
|
|
force: yes
|
|
notify: restart bind
|
|
when: bind_authoritative_server | bool
|
|
|
|
- name: Create systemd service
|
|
template:
|
|
src: bind9.service.j2
|
|
dest: "{{ bind_systemd_service_path }}"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
force: yes
|
|
notify:
|
|
- reload systemd
|
|
- restart bind
|
|
when: ansible_distribution_release == "jessie"
|
|
|
|
- name: "touch {{ bind_log_file }} if non chroot"
|
|
file:
|
|
path: "{{ bind_log_file }}"
|
|
owner: bind
|
|
group: adm
|
|
mode: "0640"
|
|
state: touch
|
|
when: not (bind_chroot_set | bool)
|
|
|
|
- name: "touch {{ bind_query_file }} if non chroot"
|
|
file:
|
|
path: "{{ bind_query_file }}"
|
|
owner: bind
|
|
group: adm
|
|
mode: "0640"
|
|
state: touch
|
|
when: not (bind_chroot_set | bool)
|
|
|
|
- name: send chroot-bind.sh in /root
|
|
copy:
|
|
src: chroot-bind.sh
|
|
dest: /root/chroot-bind.sh
|
|
mode: "0700"
|
|
owner: root
|
|
force: yes
|
|
backup: yes
|
|
when: bind_chroot_set | bool
|
|
|
|
- name: exec chroot-bind.sh
|
|
command: "/root/chroot-bind.sh"
|
|
register: chrootbind_run
|
|
changed_when: False
|
|
when: bind_chroot_set | bool
|
|
|
|
- debug:
|
|
var: chrootbind_run.stdout_lines
|
|
when:
|
|
- bind_chroot_set | bool
|
|
- chrootbind_run.stdout | length > 0
|
|
|
|
- name: Modify OPTIONS in /etc/default/bind9 for chroot
|
|
replace:
|
|
dest: /etc/default/bind9
|
|
regexp: '^OPTIONS=.*'
|
|
replace: 'OPTIONS="-u bind -t {{ bind_chroot_path }}"'
|
|
notify: restart bind
|
|
when: bind_chroot_set | bool
|
|
|
|
- name: logrotate for bind
|
|
template:
|
|
src: logrotate_bind.j2
|
|
dest: /etc/logrotate.d/bind9
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
force: yes
|
|
notify: restart bind
|
|
|
|
- import_tasks: munin.yml
|