Add role service-bind-slave
This commit is contained in:
Tobias Hachmer
parent
5e38e4f6fb
commit
821834c4b8
10 changed files with 250 additions and 0 deletions
|
|
@ -38,6 +38,15 @@ meshes:
|
|||
iface_mtu: 1350
|
||||
peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffmz.git
|
||||
peers_intragate_repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git
|
||||
dns:
|
||||
master: fd37:b4dc:4b1e::a25:103
|
||||
forward_zones:
|
||||
ffmz.org:
|
||||
user.ffmz.org:
|
||||
bb.ffmz.org:
|
||||
nodes.ffmz.org:
|
||||
ffbin:
|
||||
master: fd37:b4dc:4b1e::a25:10c
|
||||
|
||||
wi:
|
||||
site_number: 56
|
||||
|
|
@ -60,6 +69,13 @@ meshes:
|
|||
iface_mtu: 1350
|
||||
peers_mesh_repo: https://github.com/freifunk-mwu/peers-ffwi.git
|
||||
peers_intragate_repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git
|
||||
dns:
|
||||
master: fd56:b4dc:4b1e::a38:103
|
||||
forward_zones:
|
||||
ffwi.org:
|
||||
user.ffwi.org:
|
||||
bb.ffwi.org:
|
||||
nodes.ffwi.org:
|
||||
|
||||
icvpn:
|
||||
prefix: mwu
|
||||
|
|
|
|||
|
|
@ -25,5 +25,6 @@
|
|||
- service-bird
|
||||
- service-bird-icvpn
|
||||
- service-bird-ffrl
|
||||
- service-bind-slave
|
||||
- service-rclocal
|
||||
- system-sysctl-gateway
|
||||
|
|
|
|||
39
roles/service-bind-slave/README.md
Normal file
39
roles/service-bind-slave/README.md
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
# Ansible role service-bind-slave
|
||||
|
||||
Diese Ansible role installiert und konfiguriert den DNS Server BIND auf einem Freifunk Gateway.
|
||||
Die Gateways agieren lediglich als Slave-DNS Server.
|
||||
|
||||
- installiert BIND Pakete
|
||||
- schreibt named.conf + named.conf.options + named.conf.logging
|
||||
- schreibt named.conf.icvpn nur wenn noch nicht vorhanden
|
||||
- schreibt für jedes Mesh eine Konfigurationsdatei named.conf.$site_code
|
||||
- Forward-Zones müssen im `meshes`-Dict angegeben werden
|
||||
- Reverse DNS Zones werden automatisch aus den benutzten IP-Subnetzen erzeugt
|
||||
|
||||
## Benötigte Variablen
|
||||
|
||||
- Dictionary `meshes`
|
||||
´´´
|
||||
meshes:
|
||||
xx:
|
||||
...
|
||||
site_code: # string
|
||||
ipv4_network:
|
||||
ipv6:
|
||||
ula:
|
||||
- # ULA-Prefix
|
||||
- ...
|
||||
dns:
|
||||
master: # IP-Adresse des DNS Masters
|
||||
forward_zones:
|
||||
$zone: # DNS-Domain
|
||||
master: # optional: IP-Adresse des DNS Masters, wenn die vom übergeordneten abweicht.
|
||||
|
||||
´´´
|
||||
- Variable `icvpn_ipv4_transfer_net`
|
||||
- Variable `icvpn_ipv6_transfer_net`
|
||||
- Host Variable `magic`
|
||||
|
||||
## Benötigte roles
|
||||
|
||||
- git-repos
|
||||
9
roles/service-bind-slave/handlers/main.yml
Normal file
9
roles/service-bind-slave/handlers/main.yml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- name: reload systemd
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
- name: restart bind9
|
||||
systemd:
|
||||
name: bind9
|
||||
state: restarted
|
||||
3
roles/service-bind-slave/meta/main.yml
Normal file
3
roles/service-bind-slave/meta/main.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies:
|
||||
- { role: git-repos }
|
||||
67
roles/service-bind-slave/tasks/main.yml
Normal file
67
roles/service-bind-slave/tasks/main.yml
Normal file
|
|
@ -0,0 +1,67 @@
|
|||
---
|
||||
- name: install dns server packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
notify: reload systemd
|
||||
with_items:
|
||||
- bind9
|
||||
- bind9-doc
|
||||
- bind9utils
|
||||
|
||||
- name: enable systemd unit bind9
|
||||
systemd:
|
||||
name: bind9
|
||||
enabled: yes
|
||||
|
||||
- name: write named.conf
|
||||
template:
|
||||
src: named.conf.j2
|
||||
dest: /etc/bind/named.conf
|
||||
owner: root
|
||||
group: bind
|
||||
mode: 0644
|
||||
notify: restart bind9
|
||||
|
||||
- name: write named.conf.options
|
||||
template:
|
||||
src: named.conf.options.j2
|
||||
dest: /etc/bind/named.conf.options
|
||||
owner: root
|
||||
group: bind
|
||||
mode: 0644
|
||||
notify: restart bind9
|
||||
|
||||
- name: write named.conf.logging
|
||||
template:
|
||||
src: named.conf.logging.j2
|
||||
dest: /etc/bind/named.conf.logging
|
||||
owner: root
|
||||
group: bind
|
||||
mode: 0644
|
||||
notify: restart bind9
|
||||
|
||||
- name: write named.conf for meshes
|
||||
template:
|
||||
src: named.conf.mesh.j2
|
||||
dest: /etc/bind/named.conf.{{ item.value.site_code }}
|
||||
owner: root
|
||||
group: bind
|
||||
mode: 0644
|
||||
notify: restart bind9
|
||||
with_dict: "{{ meshes }}"
|
||||
|
||||
- name: write initial icvpn bind config
|
||||
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn
|
||||
args:
|
||||
chdir: /home/admin/clones/icvpn-scripts
|
||||
creates: /etc/bind/named.conf.icvpn
|
||||
notify: restart bind9
|
||||
|
||||
- name: set file attributes for icvpn config
|
||||
file:
|
||||
path: /etc/bind/
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: bird
|
||||
notify: restart bind9
|
||||
11
roles/service-bind-slave/templates/named.conf.j2
Normal file
11
roles/service-bind-slave/templates/named.conf.j2
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
//
|
||||
// {{ ansible_managed }}
|
||||
//
|
||||
|
||||
include "/etc/bind/named.conf.options";
|
||||
include "/etc/bind/named.conf.default-zones";
|
||||
include "/etc/bind/named.conf.logging";
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
include "/etc/bind/named.conf.{{ mesh_value.site_code }}";
|
||||
{% endfor %}
|
||||
include "/etc/bind/named.conf.icvpn";
|
||||
9
roles/service-bind-slave/templates/named.conf.logging.j2
Normal file
9
roles/service-bind-slave/templates/named.conf.logging.j2
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
//
|
||||
// {{ ansible_managed }}
|
||||
//
|
||||
|
||||
logging {
|
||||
channel null { null; };
|
||||
category default { null; };
|
||||
};
|
||||
|
||||
58
roles/service-bind-slave/templates/named.conf.mesh.j2
Normal file
58
roles/service-bind-slave/templates/named.conf.mesh.j2
Normal file
|
|
@ -0,0 +1,58 @@
|
|||
//
|
||||
// {{ ansible_managed }}
|
||||
//
|
||||
|
||||
// ACLs
|
||||
masters "ns-master-{{ item.value.site_code }}" {
|
||||
{{ item.value.dns.master }};
|
||||
};
|
||||
|
||||
{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %}
|
||||
{% if zone_value.master is defined %}
|
||||
masters "ns-master-{{ zone_id }}" {
|
||||
{{ zone_value.master }};
|
||||
};
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
acl "intern-{{ item.value.site_code }}" {
|
||||
{{ item.value.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }};
|
||||
{% for prefix in item.value.ipv6.ula %}
|
||||
{{ prefix | ipaddr('net') | ipaddr('network/prefix') }};
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
// DNS forward zones for {{ item.value.site_code }}
|
||||
{% for zone_id, zone_value in item.value.dns.forward_zones.iteritems() %}
|
||||
zone "{{ zone_id }}." {
|
||||
type slave;
|
||||
file "{{ zone_id }}.db";
|
||||
{% if zone_value.master is defined %}
|
||||
masters { ns-master-{{ zone_id }}; };
|
||||
{% else %}
|
||||
masters { ns-master-{{ item.value.site_code }}; };
|
||||
{% endif %}
|
||||
};
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
// DNS reverse zones for {{ item.value.site_code }}
|
||||
zone "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" {
|
||||
type slave;
|
||||
file "{{ item.value.ipv4_network | ipaddr('net') | ipaddr('revdns') }}";
|
||||
masters { ns-master-{{ item.value.site_code }}; };
|
||||
};
|
||||
|
||||
{% for prefix in item.value.ipv6.ula %}
|
||||
zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" {
|
||||
type slave;
|
||||
file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}";
|
||||
masters { ns-master-{{ item.value.site_code }}; };
|
||||
};
|
||||
{% if not loop.last %}
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
37
roles/service-bind-slave/templates/named.conf.options.j2
Normal file
37
roles/service-bind-slave/templates/named.conf.options.j2
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
//
|
||||
// {{ ansible_managed }}
|
||||
//
|
||||
options {
|
||||
directory "/var/cache/bind";
|
||||
|
||||
dnssec-validation no;
|
||||
auth-nxdomain no;
|
||||
|
||||
allow-query { any; };
|
||||
allow-recursion {
|
||||
127.0.0.1;
|
||||
::1;
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
intern-{{ mesh_value.site_code }};
|
||||
{% endfor %}
|
||||
};
|
||||
allow-transfer { any; };
|
||||
|
||||
listen-on {
|
||||
127.0.0.1;
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
{{ mesh_value.ipv4_network | ipaddr('net') | ipaddr(magic) | ipaddr('address') }};
|
||||
{% endfor %}
|
||||
{{ icvpn_ipv4_transfer_net | ipaddr('net') | ipsubnet(24, 37) | ipaddr(magic) | ipaddr('address') }};
|
||||
};
|
||||
|
||||
listen-on-v6 {
|
||||
::1;
|
||||
{% for mesh_id, mesh_value in meshes.iteritems() %}
|
||||
{% for ip in mesh_value.ipv6.ula %}
|
||||
{{ ip | ipaddr('net') | ipsubnet(64, 0) | ipaddr(magic) }};
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{{ icvpn_ipv6_transfer_net | ipaddr('net') | ipsubnet(112, 37) | ipaddr(magic) | ipaddr('address') }};
|
||||
};
|
||||
};
|
||||
Loading…
Reference in a new issue