[bind9] At last usable !

2022-06-06 21:59:11 +02:00 · 2022-06-06 21:59:11 +02:00 · 36dc7429a3
parent 34243f83cd
commit 36dc7429a3
12 changed files with 99 additions and 180 deletions
--- a/group_vars/dns_authoritative.yml
+++ b/group_vars/dns_authoritative.yml
@ -0,0 +1,24 @@
 ---
 glob_bind:
  default:
    format: 'bak.%s'
  zones:
    '_acme-challenge.crans.org':
    '_acme-challenge.adm.crans.org':
    'adh.crans.org': {}
    'adm.crans.org': {}
    'cachan-adm.crans.org': {}
    'crans.eu': {}
    'crans.fr': {}
    'crans.org': {}
    'lists.crans.org': {}
    'san.crans.org': {}
    'renater.crans.org': {}
    'ens.crans.org': {}
    'lp.crans.org': {}
    'admissibles.crans.org': {}
    '76.230.185.in-addr.arpa': {}
    '77.230.185.in-addr.arpa': {}
    '78.230.185.in-addr.arpa': {}
    '79.230.185.in-addr.arpa': {}
    '0.0.7.0.c.0.a.2.ip6.arpa': {}
--- a/host_vars/silice.adm.crans.org.yml
+++ b/host_vars/silice.adm.crans.org.yml
@ -2,3 +2,29 @@
 interfaces:
  adm: eth1
  srv: eth0
 loc_bind:
  options:
    secondaries: "{{ query('ldap', 'ip', 'sputnik', 'adm') }}"
    key_directory: "/var/cache/bind/keys"
  default:
    format: 'generated/%s.db'
    type: primary
    notify: 'yes'
    dnssec: true
  zones:
    '_acme-challenge.crans.org':
      update_policy:
        - 'grant certbot_challenge. name _acme-challenge.crans.org. txt'
      format: 'bak.%s'
    '_acme-challenge.adm.crans.org':
      update_policy:
        - 'grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt'
      format: 'bak.%s'
  rfc2136_keys:
    'certbot_challenge.':
      algorithm: hmac-sha512
      secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
    'certbot_adm_challenge.':
      algorithm: hmac-sha512
      secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@ -111,3 +111,8 @@ loc_reverseproxy:
  redirect_sites: []
  static_sites: []
 loc_bind:
  default:
    type: slave
    primaries: "{{ query('ldap', 'ip', 'silice', 'adm') }}"
--- a/7
+++ b/7
@ -55,12 +55,9 @@ gitlab_runner
 [django_cas]
 cas.adm.crans.org
-[dns_auth_master]
+[dns_authoritative]
 silice.adm.crans.org
-
+sputnik.adm.crans.org
 [dns_authoritative:children]
 dns_auth_master
 ovh_physical
 [dns_recursive:children]
 routeurs_vm
--- a/plays/dns-authoritative.yml
+++ b/plays/dns-authoritative.yml
@ -3,21 +3,6 @@
 # Deploy authoritative DNS server
 - hosts: dns_authoritative
  vars:
-    certbot_dns_secret: "{{ vault.certbot_dns_secret }}"
+    bind: '{{ glob_bind | default({}) | combine(loc_bind | default({}), recursive=True) }}'
    certbot_adm_dns_secret: "{{ vault.certbot_adm_dns_secret }}"
    bind:
      masters: "{{ query('ldap', 'role', 'dns-primary') }}"
      slaves: "{{ query('ldap', 'role', 'dns-secondary') }}"
      zones: "{{ (lookup('re2oapi', 'dnszones') + query('ldap', 'zones')) | unique }}"
      reverse: "{{ lookup('re2oapi', 'dnsreverse') }}"
  roles:
    - bind-authoritative
 - hosts: dns_auth_master
  vars:
    re2o:
      server: re2o.adm.crans.org
      service_user: "{{ vault.re2o_service_user }}"
      service_password: "{{ vault.re2o_service_password }}"
  roles:
    - dns
--- a/roles/bind-authoritative/handlers/main.yml
+++ b/roles/bind-authoritative/handlers/main.yml
@ -1,5 +1,5 @@
 ---
- name: Reload Bind9
+- name: systemctl reload bind9.service
  systemd:
    name: bind9
    state: reloaded
--- a/roles/bind-authoritative/tasks/dnssec.yml
+++ b/roles/bind-authoritative/tasks/dnssec.yml
@ -1,4 +0,0 @@
 ---
 - name: TODO
  debug:
    msg: "Hey some work is being done here!"
--- a/roles/bind-authoritative/tasks/main.yml
+++ b/roles/bind-authoritative/tasks/main.yml
@ -7,11 +7,6 @@
  retries: 3
  until: apt_result is succeeded
 - name: Is this the master?
  set_fact:
    is_master: "{{ ansible_hostname in query('ldap', 'role', 'dns-primary') }}"
    cacheable: true
 - name: Deploy Bind9 configuration
  template:
    src: bind/{{ item }}.j2
@ -22,11 +17,10 @@
  loop:
    - named.conf
    - named.conf.local
    - named.conf.key
    - named.conf.options
-  notify: Reload Bind9
+  when: item != "named.conf.key" or bind.rfc2136_keys is defined
-
+  notify: systemctl reload bind9.service
 - include_tasks: dnssec.yml
  when: is_master
 - name: Indicate role in motd
  template:
--- a/roles/bind-authoritative/templates/bind/named.conf.key.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.key.j2
@ -0,0 +1,9 @@
 {{ ansible_header | comment(decoration='// ') }}
 // Let's Encrypt Challenge DNS-01 key
 {% for keyname,key in bind.rfc2136_keys.items() %}
 key "{{ keyname }}" {
 	algorithm {{ key.algorithm }};
 	secret "{{ key.secret }}";
 };
 {% endfor %}
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@ -3,148 +3,35 @@
 // Consider adding the 1918 zones here, if they are not used in your
 // organization
 //include "/etc/bind/zones.rfc1918";
 {% if bind.rfc2136_keys is defined %}
-{% if is_master -%}
+include "/etc/bind/named.conf.key";
 // Let's Encrypt Challenge DNS-01 key
 key "certbot_challenge." {
 	algorithm hmac-sha512;
 	secret "{{ certbot_dns_secret }}";
 };
 key "certbot_adm_challenge." {
 	algorithm hmac-sha512;
 	secret "{{ certbot_adm_dns_secret }}";
 };
 {% endif %}
-// Let's Encrypt Challenge DNS-01 zone
+{% for zonename,zone in bind.zones.items() %}
-zone "_acme-challenge.crans.org" {
+zone "{{ zonename }}" {
-{% if is_master %}
+{% set zone = bind.default | combine(zone) %}
-	type master;
+	type {{ zone.type | default('primary') }};
-	notify yes;
+{% if zone.update_policy is defined %}
 	update-policy {
-		grant certbot_challenge. name _acme-challenge.crans.org. txt;
+{% for policy in zone.update_policy %}
-	};
+		{{ policy }};
 {% else %}
 	type slave;
 	masters {
 {% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
 {% endif %}
-	file "bak._acme-challenge.crans.org";
+	file "{{ zone.format | default('') | format(zonename) }}";
-};
+{% if zone.primaries is defined and zone.primaries != False %}
 // Let's Encrypt Challenge DNS-01 zone
 zone "_acme-challenge.adm.crans.org" {
 {% if is_master %}
 	type master;
 	notify yes;
 	update-policy {
 		grant certbot_adm_challenge. name _acme-challenge.adm.crans.org. txt;
 	};
 {% else %}
 	type slave;
 	masters {
-{% for host in bind.masters %}
+{% for primary in zone.primaries %}
-{% for ip in query('ldap', 'ip', host, 'adm') %}
+		{{ primary }};
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
 {% endif %}
-	file "bak._acme-challenge.adm.crans.org";
+	notify {{ zone.notify | default('no') }};
-};
+{% if zone.dnssec is defined and zone.dnssec %}
-
+	inline-signing yes;
-zone "_acme-challenge.crans.fr" {
+	auto-dnssec maintain;
-{% if is_master %}
+	serial-update-method increment;
 	type master;
 	notify yes;
 	update-policy {
 		grant certbot_challenge. name _acme-challenge.crans.fr. txt;
 	};
 {% else %}
 	type slave;
 	masters {
 {% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
 {% endif %}
 	file "bak._acme-challenge.crans.fr";
 };
 zone "_acme-challenge.crans.eu" {
 {% if is_master %}
 	type master;
 	notify yes;
 	update-policy {
 		grant certbot_challenge. name _acme-challenge.crans.eu. txt;
 	};
 {% else %}
 	type slave;
 	masters {
 {% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
 {% endif %}
 	file "bak._acme-challenge.crans.eu";
 };
 // Crans zones
 {% for zone in bind.zones|sort %}
 zone "{{ zone }}" {
 {% if is_master %}
 	type master;
 	// Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated
 	file "generated/{{ zone }}.db";
 	notify yes;
 {% else %}
 	type slave;
 	file "bak.{{ zone }}";
 	masters {
 {% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
 {% endif %}
 };
 {% endfor %}
 // Crans reverse zones
 {% for zone in bind.reverse %}
 zone "{{ zone }}" {
 {% if is_master %}
 	type master;
 	// Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated
 	file "generated/{{ zone }}.db";
 	notify yes;
 {% else %}
 	type slave;
 	file "bak.{{ zone }}";
 	masters {
 {% for host in bind.masters %}
 {% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
 {% endfor %}
 	};
 	notify no;
 {% endif %}
 };
--- a/roles/bind-authoritative/templates/bind/named.conf.options.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.options.j2
@ -2,6 +2,10 @@
 options {
 	directory "/var/cache/bind";
 {% if bind.options.key_directory is defined %}
 	key-directory "{{ bind.options.key_directory }}";
 {% endif %}
 	// If there is a firewall between you and nameservers you want
 	// to talk to, you may need to fix the firewall to allow multiple
@ -30,20 +34,16 @@ options {
 	// Hide version from clients
 	version "not currently available";
-{% if is_master %}
+{% if bind.options.secondaries is defined %}
 	allow-transfer {
-{% for host in bind.slaves %}
+{% for host in bind.options.secondaries %}
-{% for ip in query('ldap', 'ip', host, 'adm') %}
+		{{ host }};
 		{{ ip }};
 {% endfor %}
 {% endfor %}
 	};
 	also-notify {
-{% for host in bind.slaves %}
+{% for host in bind.options.secondaries %}
-{% for ip in query('ldap', 'ip', host, 'adm') %}
+		{{ host }};
 		{{ ip }};
 {% endfor %}
 {% endfor %}
 	};
 {% else %}
--- a/roles/bind-authoritative/templates/update-motd.d/05-service.j2
+++ b/roles/bind-authoritative/templates/update-motd.d/05-service.j2
@ -1,7 +1,3 @@
 #!/usr/bin/tail +14
 {{ ansible_header | comment }}
-{% if is_master %}
+[0m> [38;5;82mBind9 (authoritative)[0m a été déployé sur cette machine. Voir [38;5;6m/etc/bind/[0m.
 [0m> [38;5;82mBind9 (autoritaire, maître)[0m a été déployé sur cette machine. Voir [38;5;6m/etc/bind/[0m.
 {% else %}
 [0m> [38;5;82mBind9 (autoritaire, esclave)[0m a été déployé sur cette machine. Voir [38;5;6m/etc/bind/[0m.
 {% endif %}