crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

Use Re2o API to config Bind9

certbot_on_virtu
Alexandre Iooss 2020-04-26 18:18:18 +02:00
parent 787ff00319
commit fe3df776db
No known key found for this signature in database
GPG Key ID: 6C79278F3FCDCC02
3 changed files with 36 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -80,6 +80,12 @@ on peut exécuter le module `setup` manuellement.
ansible zamok.adm.crans.org -m setup ansible zamok.adm.crans.org -m setup
``` ```
### Filtrer un objet Python
Ansible fournit le filtre `json_query` qui va utiliser
le module python `jmespath`. Il est puissant et permet entre autre
de filtrer la sortie de l'API Re2o.
## Exécution d'Ansible ## Exécution d'Ansible
### Configurer la connexion au vlan adm ### Configurer la connexion au vlan adm
@ -103,7 +109,7 @@ ssh-copy-id zamok.adm.crans.org
### Lancer un Playbook Ansible ### Lancer un Playbook Ansible
Il faut `python3-netaddr` sur sa machine. Il faut `python3-netaddr` et `python3-jmespath` sur sa machine.
Pour tester le playbook `base.yml` : Pour tester le playbook `base.yml` :
```bash ```bash

7
network.yml
View File

@ -41,10 +41,9 @@
vars: vars:
certbot_dns_secret: "{{ vault_certbot_dns_secret }}" certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
bind: bind:
master: false masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
master_ip: 10.231.136.118 slaves: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-slave')[0] }}"
slaves: [] # TODO zones: "{{ lookup('re2oapi', 'dnszones') }}"
zones: "{{ lookup('re2oapi', 'dnszones', api_hostname='intranet.crans.org') }}"
roles: roles:
- bind-authoritative - bind-authoritative

35
roles/bind-authoritative/templates/bind/named.conf.local.j2
View File

@ -4,29 +4,41 @@
// organization // organization
//include "/etc/bind/zones.rfc1918"; //include "/etc/bind/zones.rfc1918";
{% if bind.master %} {%- set masters_ipv4 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
{%- set masters_ipv6 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
{%- set slaves_ipv4 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
{%- set slaves_ipv6 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
{%- set is_master = ansible_all_ipv4_addresses | intersect(masters_ipv4) %}
{% if is_master -%}
// Let's Encrypt Challenge DNS-01 // Let's Encrypt Challenge DNS-01
key "certbot_challenge." { key "certbot_challenge." {
algorithm hmac-sha512; algorithm hmac-sha512;
secret "{{ certbot_dns_secret }}"; secret "{{ certbot_dns_secret }}";
}; };
{% endif %} {% endif %}
// Crans zones // Crans zones
{% for zone in bind.zones %} {% for zone in bind.zones %}
zone "{{ zone }}" { zone "{{ zone }}" {
{% if bind.master -%} {% if is_master -%}
type master; type master;
file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone"; file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
forwarders { forwarders {
{% for slave in bind.slaves -%} {% for ip in slaves_ipv4 -%}
{{ slave }}; {{ ip }};
{% endfor -%} {% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
}; };
allow-transfer { allow-transfer {
{% for slave in bind.slaves -%} {% for ip in slaves_ipv4 -%}
{{ slave }}; {{ ip }};
{% endfor -%} {% endfor -%}
{% for ip in slaves_ipv6 -%}
{{ ip }};
{% endfor -%}
}; };
update-policy { update-policy {
grant certbot_challenge. name _acme-challenge.{{ zone }} txt; grant certbot_challenge. name _acme-challenge.{{ zone }} txt;
@ -36,7 +48,12 @@ zone "{{ zone }}" {
type slave; type slave;
file "bak.{{ zone }}"; file "bak.{{ zone }}";
masters { masters {
{{ bind.master_ip }}; {% for ip in masters_ipv4 -%}
{{ ip }};
{% endfor -%}
{% for ip in masters_ipv6 -%}
{{ ip }};
{% endfor -%}
}; };
allow-transfer { "none"; }; allow-transfer { "none"; };
notify no; notify no;