70 lines
1.7 KiB
Django/Jinja
70 lines
1.7 KiB
Django/Jinja
{{ ansible_header | comment(decoration='// ') }}
|
|
|
|
// Consider adding the 1918 zones here, if they are not used in your
|
|
// organization
|
|
//include "/etc/bind/zones.rfc1918";
|
|
|
|
{%- set masters_ipv4 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
|
|
{%- set masters_ipv6 = bind.masters | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
|
|
{%- set slaves_ipv4 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv4[]") %}
|
|
{%- set slaves_ipv6 = bind.slaves | json_query("servers[].interface[?vlan_id==`2`].ipv6[][].ipv6") %}
|
|
{%- set is_master = ansible_all_ipv4_addresses | intersect(masters_ipv4) %}
|
|
|
|
{% if is_master -%}
|
|
// Let's Encrypt Challenge DNS-01 key
|
|
key "certbot_challenge." {
|
|
algorithm hmac-sha512;
|
|
secret "{{ certbot_dns_secret }}";
|
|
};
|
|
{% endif %}
|
|
|
|
// Let's Encrypt Challenge DNS-01 zone
|
|
zone "_acme-challenge.crans.org" {
|
|
type master;
|
|
file "bak._acme-challenge.crans.org";
|
|
allow-transfer {
|
|
{% for ip in slaves_ipv4 -%}
|
|
{{ ip }};
|
|
{% endfor -%}
|
|
{% for ip in slaves_ipv6 -%}
|
|
{{ ip }};
|
|
{% endfor -%}
|
|
};
|
|
update-policy {
|
|
grant certbot_challenge. name _acme-challenge.crans.org txt;
|
|
};
|
|
};
|
|
|
|
// Crans zones
|
|
{% for zone in bind.zones %}
|
|
zone "{{ zone }}" {
|
|
{% if is_master -%}
|
|
type master;
|
|
file "/var/local/re2o-services/dns/generated/dns.{{ zone }}.zone";
|
|
allow-transfer {
|
|
{% for ip in slaves_ipv4 -%}
|
|
{{ ip }};
|
|
{% endfor -%}
|
|
{% for ip in slaves_ipv6 -%}
|
|
{{ ip }};
|
|
{% endfor -%}
|
|
};
|
|
notify yes;
|
|
{% else -%}
|
|
type slave;
|
|
file "bak.{{ zone }}";
|
|
masters {
|
|
{% for ip in masters_ipv4 -%}
|
|
{{ ip }};
|
|
{% endfor -%}
|
|
{% for ip in masters_ipv6 -%}
|
|
{{ ip }};
|
|
{% endfor -%}
|
|
};
|
|
allow-transfer { "none"; };
|
|
notify no;
|
|
{% endif -%}
|
|
};
|
|
|
|
{% endfor %}
|