crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[bind] factorize allow-transfer and notify

certbot_on_virtu
Alexandre Iooss 2020-04-27 14:32:32 +02:00
parent 27d56bb0a5
commit ac79e09f57
No known key found for this signature in database
GPG Key ID: 6C79278F3FCDCC02
2 changed files with 44 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
roles/bind-authoritative/templates/bind/named.conf.local.j2
View File

@ -14,66 +14,48 @@ key "certbot_challenge." {
// Let's Encrypt Challenge DNS-01 zone
zone "_acme-challenge.crans.org" {
{% if is_master -%}
{% if is_master %}
type master;
allow-transfer {
{% for ip in slaves_ipv4 -%}
{{ ip }};
{% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
};
notify yes;
update-policy {
grant certbot_challenge. name _acme-challenge.crans.org. txt;
};
{% else -%}
{% else %}
type slave;
masters {
{% for ip in masters_ipv4 -%}
{% for ip in masters_ipv4 %}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 -%}
{% endfor -%}
{% for ip in masters_ipv6 %}
{{ ip }};
{% endfor -%}
{% endfor %}
};
allow-transfer { "none"; };
notify no;
{% endif -%}
{% endif %}
file "bak._acme-challenge.crans.org";
};
// Crans zones
{% for zone in bind.zones|sort %}
zone "{{ zone }}" {
{% if is_master -%}
{% if is_master %}
type master;
// Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated
file "generated/dns.{{ zone }}.zone";
allow-transfer {
{% for ip in slaves_ipv4 -%}
{{ ip }};
{% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
};
notify yes;
{% else -%}
{% else %}
type slave;
file "bak.{{ zone }}";
masters {
{% for ip in masters_ipv4 -%}
{% for ip in masters_ipv4 %}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 -%}
{% endfor %}
{% for ip in masters_ipv6 %}
{{ ip }};
{% endfor -%}
{% endfor %}
};
allow-transfer { "none"; };
notify no;
{% endif -%}
{% endif %}
};
{% endfor %}
@ -81,33 +63,24 @@ zone "{{ zone }}" {
// Crans reverse zones
{% for zone in bind.reverse %}
zone "{{ zone }}" {
{% if is_master -%}
{% if is_master %}
type master;
// Apparmor: Need to ln -s /var/cache/bind/generated /var/local/re2o-services/dns/generated
file "generated/dns.{{ zone }}.zone";
allow-transfer {
{% for ip in slaves_ipv4 -%}
{{ ip }};
{% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
};
notify yes;
{% else -%}
{% else %}
type slave;
file "bak.{{ zone }}";
masters {
{% for ip in masters_ipv4 -%}
{% for ip in masters_ipv4 %}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 -%}
{% endfor %}
{% for ip in masters_ipv6 %}
{{ ip }};
{% endfor -%}
{% endfor %}
};
allow-transfer { "none"; };
notify no;
{% endif -%}
{% endif %}
};
{% endfor %}

26
roles/bind-authoritative/templates/bind/named.conf.options.j2
View File

@ -27,9 +27,29 @@ options {
// Disable recursion on authoritative DNS server
recursion no;
// Disallow zone transfert by default
allow-transfer { none; };
// Hide version from clients
version "not currently available";
{% if is_master %}
allow-transfer {
{% for ip in slaves_ipv4 %}
{{ ip }};
{% endfor %}
{% for ip in slaves_ipv6 %}
{{ ip }};
{% endfor %}
};
also-notify {
{% for ip in slaves_ipv4 %}
{{ ip }};
{% endfor %}
{% for ip in slaves_ipv6 %}
{{ ip }};
{% endfor %}
};
{% else %}
// Disallow zone transfert by default
allow-transfer { none; };
{% endif %}
};