From 53d457afd7604d1af559ada26df7e092ed0b8d29 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 22 Aug 2020 09:21:10 +0200
Subject: [PATCH] [bind-authoritative] Query LDAP for IPs

---
 plays/dns.yml                                 | 10 +++---
 roles/bind-authoritative/tasks/main.yml       |  8 -----
 .../templates/bind/named.conf.local.j2        | 34 ++++++++-----------
 .../templates/bind/named.conf.options.j2      | 10 +++---
 4 files changed, 24 insertions(+), 38 deletions(-)

diff --git a/plays/dns.yml b/plays/dns.yml
index dd5f2a5a..b261acaa 100755
--- a/plays/dns.yml
+++ b/plays/dns.yml
@@ -2,7 +2,8 @@
 ---
 # Deploy recursive DNS cache server
 - hosts: routeur-sam.adm.crans.org,routeur-daniel.adm.crans.org
-  roles: ["bind-recursive"]
+  roles:
+    - bind-recursive
 
 # Deploy authoritative DNS server
 - hosts: silice.adm.crans.org,sputnik.adm.crans.org,boeing.adm.crans.org
@@ -10,11 +11,12 @@
     certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
     certbot_adm_dns_secret: "{{ vault_certbot_adm_dns_secret }}"
     bind:
-      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
-      slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
+      masters: "{{ query('ldap', 'role', 'dns-primary') }}"
+      slaves: "{{ query('ldap', 'role', 'dns-secondary') }}"
       zones: "{{ (lookup('re2oapi', 'dnszones') + query('ldap', 'zones')) | unique }}"
       reverse: "{{ lookup('re2oapi', 'dnsreverse') }}"
-  roles: ["bind-authoritative"]
+  roles:
+    - bind-authoritative
 
 - hosts: silice.adm.crans.org
   vars:
diff --git a/roles/bind-authoritative/tasks/main.yml b/roles/bind-authoritative/tasks/main.yml
index 40fe1963..1191b44c 100644
--- a/roles/bind-authoritative/tasks/main.yml
+++ b/roles/bind-authoritative/tasks/main.yml
@@ -7,14 +7,6 @@
   retries: 3
   until: apt_result is succeeded
 
-- name: Lookup DNS servers
-  set_fact:
-    masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
-    masters_ipv6: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}"
-    slaves_ipv4: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
-    slaves_ipv6: "{{ bind.slaves | json_query('servers[].interface[?vlan_id==`2`].ipv6[][].ipv6') }}"
-    cacheable: true
-
 - name: Is this the master?
   set_fact:
     is_master: "{{ ansible_hostname in query('ldap', 'role', 'dns-primary') }}"
diff --git a/roles/bind-authoritative/templates/bind/named.conf.local.j2 b/roles/bind-authoritative/templates/bind/named.conf.local.j2
index 9d76d8e8..ab367594 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.local.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.local.j2
@@ -27,11 +27,10 @@ zone "_acme-challenge.crans.org" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
-{% for ip in masters_ipv6 %}
-		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@@ -50,11 +49,10 @@ zone "_acme-challenge.adm.crans.org" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
-{% for ip in masters_ipv6 %}
-		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@@ -72,11 +70,10 @@ zone "_acme-challenge.crans.fr" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
-{% for ip in masters_ipv6 %}
-		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@@ -94,11 +91,10 @@ zone "_acme-challenge.crans.eu" {
 {% else %}
 	type slave;
 	masters {
-{% for ip in masters_ipv4 %}
+{% for host in bind.masters %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor -%}
-{% for ip in masters_ipv6 %}
-		{{ ip }};
 {% endfor %}
 	};
 	notify no;
@@ -118,11 +114,10 @@ zone "{{ zone }}" {
 	type slave;
 	file "bak.{{ zone }}";
 	masters {
-{% for ip in masters_ipv4 %}
-		{{ ip }};
-{% endfor %}
-{% for ip in masters_ipv6 %}
+{% for host in bind.masters %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
+{% endfor -%}
 {% endfor %}
 	};
 	notify no;
@@ -143,11 +138,10 @@ zone "{{ zone }}" {
 	type slave;
 	file "bak.{{ zone }}";
 	masters {
-{% for ip in masters_ipv4 %}
-		{{ ip }};
-{% endfor %}
-{% for ip in masters_ipv6 %}
+{% for host in bind.masters %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
+{% endfor -%}
 {% endfor %}
 	};
 	notify no;
diff --git a/roles/bind-authoritative/templates/bind/named.conf.options.j2 b/roles/bind-authoritative/templates/bind/named.conf.options.j2
index 90f9eddb..f76d7e20 100644
--- a/roles/bind-authoritative/templates/bind/named.conf.options.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.options.j2
@@ -32,20 +32,18 @@ options {
 
 {% if is_master %}
 	allow-transfer {
-{% for ip in slaves_ipv4 %}
+{% for host in bind.slaves %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor %}
-{% for ip in slaves_ipv6 %}
-		{{ ip }};
 {% endfor %}
 	};
 
 	also-notify {
-{% for ip in slaves_ipv4 %}
+{% for host in bind.slaves %}
+{% for ip in query('ldap', 'ip', host, 'adm') %}
 		{{ ip }};
 {% endfor %}
-{% for ip in slaves_ipv6 %}
-		{{ ip }};
 {% endfor %}
 	};
 {% else %}