crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[bind] factorize allow-transfer and notify

certbot_on_virtu
Alexandre Iooss 2020-04-27 14:32:32 +02:00
parent 27d56bb0a5
commit ac79e09f57
No known key found for this signature in database
GPG Key ID: 6C79278F3FCDCC02
2 changed files with 44 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
roles/bind-authoritative/templates/bind/named.conf.local.j2
View File

@ -14,66 +14,48 @@ key "certbot_challenge." {
// Let's Encrypt Challenge DNS-01 zone // Let's Encrypt Challenge DNS-01 zone
zone "_acme-challenge.crans.org" { zone "_acme-challenge.crans.org" {
{% if is_master -%} {% if is_master %}
type master; type master;
allow-transfer {
{% for ip in slaves_ipv4 -%}
{{ ip }};
{% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
};
notify yes; notify yes;
update-policy { update-policy {
grant certbot_challenge. name _acme-challenge.crans.org. txt; grant certbot_challenge. name _acme-challenge.crans.org. txt;
}; };
{% else -%} {% else %}
type slave; type slave;
masters { masters {
{% for ip in masters_ipv4 -%} {% for ip in masters_ipv4 %}
{{ ip }}; {{ ip }};
{% endfor -%} {% endfor -%}
{% for ip in masters_ipv6 -%} {% for ip in masters_ipv6 %}
{{ ip }}; {{ ip }};
{% endfor -%} {% endfor %}
}; };
allow-transfer { "none"; };
notify no; notify no;
{% endif -%} {% endif %}
file "bak._acme-challenge.crans.org"; file "bak._acme-challenge.crans.org";
}; };
// Crans zones // Crans zones
{% for zone in bind.zones|sort %} {% for zone in bind.zones|sort %}
zone "{{ zone }}" { zone "{{ zone }}" {
{% if is_master -%} {% if is_master %}
type master; type master;
// Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated // Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated
file "generated/dns.{{ zone }}.zone"; file "generated/dns.{{ zone }}.zone";
allow-transfer {
{% for ip in slaves_ipv4 -%}
{{ ip }};
{% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
};
notify yes; notify yes;
{% else -%} {% else %}
type slave; type slave;
file "bak.{{ zone }}"; file "bak.{{ zone }}";
masters { masters {
{% for ip in masters_ipv4 -%} {% for ip in masters_ipv4 %}
{{ ip }}; {{ ip }};
{% endfor -%} {% endfor %}
{% for ip in masters_ipv6 -%} {% for ip in masters_ipv6 %}
{{ ip }}; {{ ip }};
{% endfor -%} {% endfor %}
}; };
allow-transfer { "none"; };
notify no; notify no;
{% endif -%} {% endif %}
}; };
{% endfor %} {% endfor %}
@ -81,33 +63,24 @@ zone "{{ zone }}" {
// Crans reverse zones // Crans reverse zones
{% for zone in bind.reverse %} {% for zone in bind.reverse %}
zone "{{ zone }}" { zone "{{ zone }}" {
{% if is_master -%} {% if is_master %}
type master; type master;
// Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated // Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated
file "generated/dns.{{ zone }}.zone"; file "generated/dns.{{ zone }}.zone";
allow-transfer {
{% for ip in slaves_ipv4 -%}
{{ ip }};
{% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
};
notify yes; notify yes;
{% else -%} {% else %}
type slave; type slave;
file "bak.{{ zone }}"; file "bak.{{ zone }}";
masters { masters {
{% for ip in masters_ipv4 -%} {% for ip in masters_ipv4 %}
{{ ip }}; {{ ip }};
{% endfor -%} {% endfor %}
{% for ip in masters_ipv6 -%} {% for ip in masters_ipv6 %}
{{ ip }}; {{ ip }};
{% endfor -%} {% endfor %}
}; };
allow-transfer { "none"; };
notify no; notify no;
{% endif -%} {% endif %}
}; };
{% endfor %} {% endfor %}

26
roles/bind-authoritative/templates/bind/named.conf.options.j2
View File

@ -27,9 +27,29 @@ options {
// Disable recursion on authoritative DNS server // Disable recursion on authoritative DNS server
recursion no; recursion no;
// Disallow zone transfert by default
allow-transfer { none; };
// Hide version from clients // Hide version from clients
version "not currently available"; version "not currently available";
{% if is_master %}
allow-transfer {
{% for ip in slaves_ipv4 %}
{{ ip }};
{% endfor %}
{% for ip in slaves_ipv6 %}
{{ ip }};
{% endfor %}
};
also-notify {
{% for ip in slaves_ipv4 %}
{{ ip }};
{% endfor %}
{% for ip in slaves_ipv6 %}
{{ ip }};
{% endfor %}
};
{% else %}
// Disallow zone transfert by default
allow-transfer { none; };
{% endif %}
}; };