From 869dd5b62af8e128d524cc24b328a5a567099161 Mon Sep 17 00:00:00 2001 From: Tobias Hachmer Date: Wed, 20 Mar 2019 19:43:11 +0100 Subject: [PATCH] Migrate internal DNS master to PowerDNS * Add playbook dns to manage internal dns master servers * Add role to manage PowerDNS Admin Web Frontend for PowerDNS * Move dns zone related data from mesh list to a simpler dict with a simple zone list * Update role service-bind-slave * Update Readme.md * Add requirements.yml * Update .gitignore --- .gitignore | 2 + Readme.md | 7 ++ inventory/group_vars/all | 52 +++++------- .../host_vars/kichererbse.freifunk-mwu.de | 2 + playbooks/dns.yml | 72 +++++++++++++++++ requirements.yml | 2 + roles/pdns-admin/defaults/main.yml | 35 ++++++++ roles/pdns-admin/handlers/main.yml | 14 ++++ roles/pdns-admin/meta/main.yml | 5 ++ roles/pdns-admin/tasks/main.yml | 80 +++++++++++++++++++ roles/pdns-admin/templates/config.py.j2 | 52 ++++++++++++ roles/pdns-admin/templates/pdns_admin.conf.j2 | 52 ++++++++++++ .../templates/powerdns-admin.service.j2 | 13 +++ roles/pdns-admin/vars/Debian.yml | 21 +++++ roles/service-bind-slave/tasks/main.yml | 7 +- .../templates/named.conf.ffmwu-zones.j2 | 28 +++++++ .../templates/named.conf.j2 | 4 +- .../templates/named.conf.mesh.j2 | 62 -------------- .../templates/named.conf.options.j2 | 4 +- 19 files changed, 410 insertions(+), 104 deletions(-) create mode 100644 playbooks/dns.yml create mode 100644 requirements.yml create mode 100644 roles/pdns-admin/defaults/main.yml create mode 100644 roles/pdns-admin/handlers/main.yml create mode 100644 roles/pdns-admin/meta/main.yml create mode 100644 roles/pdns-admin/tasks/main.yml create mode 100644 roles/pdns-admin/templates/config.py.j2 create mode 100644 roles/pdns-admin/templates/pdns_admin.conf.j2 create mode 100644 roles/pdns-admin/templates/powerdns-admin.service.j2 create mode 100644 roles/pdns-admin/vars/Debian.yml create mode 100644 roles/service-bind-slave/templates/named.conf.ffmwu-zones.j2 delete mode 100644 roles/service-bind-slave/templates/named.conf.mesh.j2 diff --git a/.gitignore b/.gitignore index 0bffade..283439a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ playbooks/test.yml +roles/geerlingguy.mysql +roles/powerdns.pdns diff --git a/Readme.md b/Readme.md index 4796880..fd26284 100644 --- a/Readme.md +++ b/Readme.md @@ -21,9 +21,16 @@ Voraussetzungen für die Control Machine: - Ansible Version >= 2.6 - Python Modul `netaddr` - Python Modul `dnspython` +- Ansible Galaxy Rollen müssen installiert sein Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. +Ansible Galaxy Rollen installieren: + +``` +ansible-galaxy install -r requirements.yml +``` + ## Gruppen-Variablen Viele Variablen sind Mesh-spezifisch und werden auf allen Gateways benötigt. Deshalb verwalten wir die Liste `meshes`. Jeder Listeneintrag ist ein Dictionary. Diese Liste befindet sich in der Sondergruppe `all` (inventory/group_vars/all) und steht damit allen Hosts im Inventory zur Verfügung. Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Parameter auf den Freifunk-Gateways. Jedes Dictionary repräsentiert eine Mesh-Wolke/Domain/Layer2-Netzwerk und ist wie folgt aufgebaut (Beispiel Mainz): diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 78327bc..6f51709 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -315,8 +315,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom0igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: dom1 domain_number: 1 @@ -354,8 +352,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom1igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: dom2 domain_number: 2 @@ -393,8 +389,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom2igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: dom3 domain_number: 3 @@ -432,8 +426,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom3igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: dom4 domain_number: 4 @@ -471,8 +463,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom4igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: dom5 domain_number: 5 @@ -510,8 +500,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom5igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: dom6 domain_number: 6 @@ -549,8 +537,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom6igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: dom7 domain_number: 7 @@ -588,8 +574,6 @@ meshes: - id: 0 mtu: 1406 pass: fastd/dom7igvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - id: mz legacy: true @@ -635,14 +619,6 @@ meshes: repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git version: master pass: fastd/mzigvpn - dns: - master: fd37:b4dc:4b1e::a25:103 - forward_zones: - - name: ffmz.org - - name: user.ffmz.org - - name: bb.ffmz.org - - name: nodes.ffmz.org - - name: ffbin http_domain_internal: ffmz.org http_domain_external: freifunk-mainz.de @@ -689,14 +665,6 @@ meshes: repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git version: master pass: fastd/wiigvpn - dns: - master: fd56:b4dc:4b1e::a38:103 - forward_zones: - - name: ffwi.org - - name: user.ffwi.org - - name: bb.ffwi.org - - name: nodes.ffwi.org - - name: ffmwu.org http_domain_internal: ffwi.org http_domain_external: wiesbaden.freifunk.net @@ -718,3 +686,23 @@ bgp_legacy_servers: extrasahne: ipv4: 10.37.0.42 ipv6: fd37:b4dc:4b1e::a25:2a + +dns_internal: + master_ipv4: 10.87.255.67 + master_ipv6: fd86:b4dc:4b1e:ff::43 + zones: + - ffmwu.org + - ffmz.org + - ffwi.org + - bb.ffmz.org + - bb.ffwi.org + - user.ffmz.org + - user.ffwi.org + - ffbin + - 37.10.in-addr.arpa + - 56.10.in-addr.arpa + - 86.10.in-addr.arpa + - 87.10.in-addr.arpa + - 0.0.0.0.e.1.b.4.c.d.4.b.7.3.d.f.ip6.arpa + - 0.0.0.0.e.1.b.4.c.d.4.b.6.5.d.f.ip6.arpa + - e.1.b.4.c.d.4.b.6.8.d.f.ip6.arpa diff --git a/inventory/host_vars/kichererbse.freifunk-mwu.de b/inventory/host_vars/kichererbse.freifunk-mwu.de index 4113fae..8ab9ab1 100644 --- a/inventory/host_vars/kichererbse.freifunk-mwu.de +++ b/inventory/host_vars/kichererbse.freifunk-mwu.de @@ -2,3 +2,5 @@ server_type: "mesh-service" magic: 67 + +nodejs_major_version: "10" diff --git a/playbooks/dns.yml b/playbooks/dns.yml new file mode 100644 index 0000000..4ceef0d --- /dev/null +++ b/playbooks/dns.yml @@ -0,0 +1,72 @@ +--- +- name: Manage DNS Internal Master Server. + hosts: dns-master-internal + + roles: + - service-nginx + - nodejs + - yarn + - geerlingguy.mysql + - powerdns.pdns + - pdns-admin + + vars: + mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=password') }}" + mysql_databases: + - name: "pdns-admin" + encoding: "utf8" + collation: "utf8_general_ci" + mysql_users: + - name: "pdns-admin" + host: "localhost" + password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=password') }}" + priv: "pdns-admin.*:ALL" + mysql_max_binlog_size: "100M" + mysql_expire_logs_days: "10" + + pdns_install_repo: "{{ pdns_auth_powerdns_repo_41 }}" + + pdns_mysql_databases_credentials: + gmysql: + priv_user: root + priv_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=password') }}" + priv_host: + - "localhost" + + pdns_config: + allow-axfr-ips: "{% for host in groups['ffmwu-gateways'] %}{{ loopback_net_ipv4 | ipaddr(hostvars[host]['magic']) | ipaddr('address') }},{{ loopback_net_ipv6 | ipaddr(hostvars[host]['magic']) | ipaddr('address') }}{% if not loop.last %},{% endif %}{% endfor %}" + api: "yes" + api-key: "{{ lookup('passwordstore', inventory_hostname_short + '/pdns_apikey subkey=api-key') }}" + default-soa-name: "{{ inventory_hostname }}" + default-soa-mail: "admin.freifunk-mwu.de" + local-port: "53" + local-address: "127.0.0.1,{{ loopback_net_ipv4 | ipaddr(magic) | ipaddr('address') }}" + local-ipv6: "::1,{{ loopback_net_ipv6 | ipaddr(magic) | ipaddr('address') }}" + master: True + only-notify: "{% for prefix in internal_prefixes %}{{ prefix.ipv4 }},{{ prefix.ipv6 }}{% if not loop.last %},{% endif %}{% endfor %}" + tcp-fast-open: "50" + version-string: "anonymous" + webserver: "yes" + webserver-address: "127.0.0.1" + webserver-allow-from: "0.0.0.0/0,::/0" + webserver-password: "{{ lookup('passwordstore', inventory_hostname_short + '/pdns_webserver subkey=password') }}" + + pdns_backends: + gmysql: + host: "127.0.0.1" + user: "powerdns" + password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_powerdns subkey=password') }}" + dbname: "powerdns" + + pdns_admin_global_config: + secret_key: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=password') }}" + login_title: "Freifunk MWU DNS Management" + log_level: "INFO" + log_file: "pdns-admin.log" + + pdns_admin_database_config: + sqla_db_user: "pdns-admin" + sqla_db_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=password') }}" + sqla_db_host: "127.0.0.1" + sqla_db_name: "pdns-admin" + sqlalchemy_track_modifications: True diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..ef4c8cc --- /dev/null +++ b/requirements.yml @@ -0,0 +1,2 @@ +- src: geerlingguy.mysql +- src: powerdns.pdns diff --git a/roles/pdns-admin/defaults/main.yml b/roles/pdns-admin/defaults/main.yml new file mode 100644 index 0000000..78cc1e0 --- /dev/null +++ b/roles/pdns-admin/defaults/main.yml @@ -0,0 +1,35 @@ +--- +pdns_admin_service_name: "powerdns" +pdns_admin_git_repo_url: "https://github.com/ngoduykhanh/PowerDNS-Admin.git" +pdns_admin_git_repo_commit: "9f29a8e154c5370e212971636f9c5347298fde14" +pdns_admin_pip_packages: + - mysql-python + +pdns_admin_root_path: "/var/www" +pdns_admin_path: "{{ pdns_admin_root_path }}/powerdns-admin" +pdns_admin_requirements_path: "{{ pdns_admin_path }}/requirements.txt" + +pdns_admin_conf_filename: "config.py" +pdns_admin_conf_template_filename: "{{ pdns_admin_conf_filename }}.j2" +pdns_admin_conf_filepath: "{{ pdns_admin_path }}/{{ pdns_admin_conf_filename }}" + +pdns_admin_systemd_filename: "powerdns-admin.service" +pdns_admin_systemd_template_filename: "{{ pdns_admin_systemd_filename }}.j2" +pdns_admin_systemd_filepath: "/etc/systemd/system/{{ pdns_admin_systemd_filename }}" + +pdns_admin_python_venv_path: "/opt/venvs/powerdns" +pdns_admin_python_path: "{{ pdns_admin_python_venv_path }}/bin/python" + +pdns_admin_global_config: + secret_key: CHANGEME + login_title: PowerDNS + log_level: DEBUG + log_file: pdns-admin.log + #log_file: '' + +pdns_admin_database_config: + sqla_db_user: pdns-admin + sqla_db_password: CHANGEME + sqla_db_host: your-db-server + sqla_db_name: pdns-admin + sqlalchemy_track_modifications: True diff --git a/roles/pdns-admin/handlers/main.yml b/roles/pdns-admin/handlers/main.yml new file mode 100644 index 0000000..7ba732c --- /dev/null +++ b/roles/pdns-admin/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Restart PowerDNS Admin Service + systemd: + name: "{{ pdns_admin_systemd_filename }}" + state: restarted + +- name: Reload systemd + systemd: + daemon_reload: "yes" + +- name: Reload nginx + systemd: + name: "nginx" + state: "reloaded" diff --git a/roles/pdns-admin/meta/main.yml b/roles/pdns-admin/meta/main.yml new file mode 100644 index 0000000..9102a28 --- /dev/null +++ b/roles/pdns-admin/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: + - yarn + - nodejs + - service-nginx diff --git a/roles/pdns-admin/tasks/main.yml b/roles/pdns-admin/tasks/main.yml new file mode 100644 index 0000000..0841c7b --- /dev/null +++ b/roles/pdns-admin/tasks/main.yml @@ -0,0 +1,80 @@ +--- +- name: Include OS-specific variables. + include_vars: "{{ ansible_distribution }}.yml" + +- name: Install required packages for Debian. + package: + name: "{{ pdns_admin_packages }}" + state: "present" + when: ansible_distribution == 'Debian' + +- name: Create "{{ pdns_admin_root_path }}" directory. + file: + path: "{{ pdns_admin_root_path }}" + state: "directory" + +- name: Git clone PowerDNS Admin. + git: + repo: "{{ pdns_admin_git_repo_url }}" + dest: "{{ pdns_admin_path }}" + version: "{{ pdns_admin_git_repo_commit }}" + +- name: Install virtualenv. + pip: + name: "virtualenv" + executable: "pip3" + +- name: PIP install requirements for PowerDNS Admin. + pip: + requirements: "{{ pdns_admin_requirements_path }}" + virtualenv: "{{ pdns_admin_python_venv_path }}" + virtualenv_python: "python3" + +- name: PIP install python-dotenv. + pip: + name: "python-dotenv" + state: "present" + virtualenv: "{{ pdns_admin_python_venv_path }}" + virtualenv_python: "python3" + +- name: Template PowerDNS Admin systemd unit. + template: + src: "{{ pdns_admin_systemd_template_filename }}" + dest: "{{ pdns_admin_systemd_filepath }}" + owner: "root" + group: "root" + notify: Reload systemd + +- name: Copy {{ pdns_admin_conf_filename }}. + template: + src: "{{ pdns_admin_conf_template_filename }}" + dest: "{{ pdns_admin_conf_filepath }}" + owner: "root" + group: "root" + notify: Restart PowerDNS Admin Service + +- name: Run post hooks. + command: "{{ item }} chdir={{ pdns_admin_path }}" + environment: + PATH: "{{ pdns_admin_python_venv_path }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + VIRTUAL_ENV: "{{ pdns_admin_python_venv_path }}" + FLASK_APP: "{{ pdns_admin_path }}/app/__init__.py" + loop: + - "flask db upgrade" + - "yarn install --pure-lockfile" + - "flask assets build" + +- name: Ensure PowerDNS Admin systemd unit is enabled and started. + service: + name: "{{ pdns_admin_systemd_filename }}" + state: "started" + enabled: "yes" + +- name: Template nginx configuration. + template: + src: "pdns_admin.conf.j2" + dest: "/etc/nginx/conf.d/pdns_admin.conf" + owner: "root" + group: "root" + mode: "0644" + notify: Reload nginx diff --git a/roles/pdns-admin/templates/config.py.j2 b/roles/pdns-admin/templates/config.py.j2 new file mode 100644 index 0000000..26080c4 --- /dev/null +++ b/roles/pdns-admin/templates/config.py.j2 @@ -0,0 +1,52 @@ +import os +basedir = os.path.abspath(os.path.dirname(__file__)) + +{% if pdns_admin_global_config is defined %} +{% for key, value in pdns_admin_global_config.items() %} +{% if key | upper not in ["UPLOAD_DIR"] %} +{% if value is not mapping %} +{% if value is sequence and value is not string %} +{% if value[0] is number %} +{{ key | upper }} = [ {{ value|join(', ') }} ] +{% else %} +{{ key | upper }} = [ "{{ value|join('", "') }}" ] +{% endif %} +{% else %} +{% if value == "true" or value == "false" or value is number %} +{{ key | upper }} = {{ value }} +{% else %} +{{ key | upper }} = "{{ value }}" +{% endif %} +{% endif %} +{% endif %} +{% endif %} +{% endfor %} +# Upload +UPLOAD_DIR = os.path.join(basedir, 'upload') +{% endif %} + +{% if pdns_admin_database_config is defined %} +{% for key, value in pdns_admin_database_config.items() %} +{% if key | upper not in ["SQLALCHEMY_DATABASE_URI", "SQLALCHEMY_MIGRATE_REPO"] %} +{% if value is not mapping %} +{% if value is sequence and value is not string %} +{% if value[0] is number %} +{{ key | upper }} = [ {{ value|join(', ') }} ] +{% else %} +{{ key | upper }} = [ "{{ value|join('", "') }}" ] +{% endif %} +{% else %} +{% if value == "true" or value == "false" or value is number %} +{{ key | upper }} = {{ value }} +{% else %} +{{ key | upper }} = "{{ value }}" +{% endif %} +{% endif %} +{% endif %} +{% endif %} +{% endfor %} +SQLALCHEMY_DATABASE_URI = 'mysql://'+SQLA_DB_USER+':'\ + +SQLA_DB_PASSWORD+'@'+SQLA_DB_HOST+'/'+SQLA_DB_NAME +{% endif %} + +SAML_ENABLED = False diff --git a/roles/pdns-admin/templates/pdns_admin.conf.j2 b/roles/pdns-admin/templates/pdns_admin.conf.j2 new file mode 100644 index 0000000..fd77d8d --- /dev/null +++ b/roles/pdns-admin/templates/pdns_admin.conf.j2 @@ -0,0 +1,52 @@ +server { + listen 80; + listen [::]:80; + server_name dns-int.{{ http_domain_external }} dns-int.{{ http_domain_internal }}; + return 301 https://$http_host$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name dns-int.{{ http_domain_external }} dns-int.{{ http_domain_internal }}; + index index.html index.htm; + + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; + ssl_prefer_server_ciphers on; + + client_max_body_size 10m; + client_body_buffer_size 128k; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffers 32 4k; + proxy_buffer_size 8k; + proxy_set_header Host $http_host; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_headers_hash_bucket_size 64; + + location ~ ^/static/ { + include mime.types; + root {{ pdns_admin_path }}/app; + location ~* \.(jpg|jpeg|png|gif)$ { expires 365d; } + location ~* ^.+.(css|js)$ { expires 7d; } + } + + location ~ ^/upload/ { + include mime.types; + root {{ pdns_admin_path }}; + location ~* \.(jpg|jpeg|png|gif)$ { expires 365d; } + location ~* ^.+.(css|js)$ { expires 7d; } + } + + location / { + proxy_pass http://unix:{{ pdns_admin_path }}/powerdns-admin.sock; + proxy_read_timeout 120; + proxy_connect_timeout 120; + proxy_redirect http:// $scheme://; + } +} diff --git a/roles/pdns-admin/templates/powerdns-admin.service.j2 b/roles/pdns-admin/templates/powerdns-admin.service.j2 new file mode 100644 index 0000000..dddd91b --- /dev/null +++ b/roles/pdns-admin/templates/powerdns-admin.service.j2 @@ -0,0 +1,13 @@ +[Unit] +Description=PowerDNS-Admin +After=network.target + +[Service] +User=root +Group=root +WorkingDirectory={{ pdns_admin_path }} +ExecStart={{ pdns_admin_python_venv_path }}/bin/gunicorn --workers 2 --bind unix:{{ pdns_admin_path }}/powerdns-admin.sock app:app +Environment="PATH={{ pdns_admin_path }}" + +[Install] +WantedBy=multi-user.target diff --git a/roles/pdns-admin/vars/Debian.yml b/roles/pdns-admin/vars/Debian.yml new file mode 100644 index 0000000..d5d8fdf --- /dev/null +++ b/roles/pdns-admin/vars/Debian.yml @@ -0,0 +1,21 @@ +--- +pdns_admin_packages: + - build-essential + - curl + - default-libmysqlclient-dev + - git + - libldap2-dev + - libmariadb2 + - libmariadb-client-lgpl-dev + - libsasl2-dev + - libssl-dev + - libxmlsec1-dev + - pkg-config + - python-setuptools + - python-pip + - python3 + - python3-dev + - python3-pip + - python3-setuptools + - python3-virtualenv + - virtualenv diff --git a/roles/service-bind-slave/tasks/main.yml b/roles/service-bind-slave/tasks/main.yml index ed411f5..1cab390 100644 --- a/roles/service-bind-slave/tasks/main.yml +++ b/roles/service-bind-slave/tasks/main.yml @@ -35,15 +35,14 @@ mode: 0644 notify: restart bind9 -- name: write named.conf for meshes +- name: write named.conf.ffmwu-zones template: - src: named.conf.mesh.j2 - dest: /etc/bind/named.conf.{{ item.domain_code }} + src: named.conf.ffmwu-zones.j2 + dest: /etc/bind/named.conf.ffmwu-zones owner: root group: bind mode: 0644 notify: restart bind9 - loop: "{{ meshes }}" - name: write initial icvpn bind config shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn diff --git a/roles/service-bind-slave/templates/named.conf.ffmwu-zones.j2 b/roles/service-bind-slave/templates/named.conf.ffmwu-zones.j2 new file mode 100644 index 0000000..67fddcc --- /dev/null +++ b/roles/service-bind-slave/templates/named.conf.ffmwu-zones.j2 @@ -0,0 +1,28 @@ +// +// {{ ansible_managed }} +// + +// ACLs +masters "ns-master-ffmwu" { + {{ dns_internal.master_ipv4 | ipaddr('address') }}; + {{ dns_internal.master_ipv6 | ipaddr('address') }}; +}; + +acl "internal" { +{% for network in internal_prefixes %} + {{ network.ipv4 | ipaddr('net') | ipaddr('network/prefix') }}; + {{ network.ipv6 | ipaddr('net') | ipaddr('network/prefix') }}; +{% endfor %} +}; + +// DNS forward zones +{% for zone in dns_internal.zones %} +zone "{{ zone }}." { + type slave; + file "{{ zone }}.db"; + masters { ns-master-ffmwu; }; +}; +{% if not loop.last %} + +{% endif %} +{% endfor %} diff --git a/roles/service-bind-slave/templates/named.conf.j2 b/roles/service-bind-slave/templates/named.conf.j2 index 895ff5c..97f3355 100644 --- a/roles/service-bind-slave/templates/named.conf.j2 +++ b/roles/service-bind-slave/templates/named.conf.j2 @@ -4,8 +4,6 @@ include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.default-zones"; +include "/etc/bind/named.conf.ffmwu-zones"; include "/etc/bind/named.conf.logging"; -{% for mesh in meshes %} -include "/etc/bind/named.conf.{{ mesh.domain_code }}"; -{% endfor %} include "/etc/bind/named.conf.icvpn"; diff --git a/roles/service-bind-slave/templates/named.conf.mesh.j2 b/roles/service-bind-slave/templates/named.conf.mesh.j2 deleted file mode 100644 index 2dd7283..0000000 --- a/roles/service-bind-slave/templates/named.conf.mesh.j2 +++ /dev/null @@ -1,62 +0,0 @@ -// -// {{ ansible_managed }} -// - -// ACLs -masters "ns-master-{{ item.domain_code }}" { - {{ item.dns.master }}; -}; - -{% if item.dns.forward_zones is defined %} -{% for zone in item.dns.forward_zones %} -{% if zone.master is defined %} -masters "ns-master-{{ zone.name }}" { - {{ zone.master }}; -}; - -{% endif %} -{% endfor %} -{% endif %} - -acl "intern-{{ item.domain_code }}" { - {{ item.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }}; -{% for prefix in item.ipv6_ula %} - {{ prefix | ipaddr('net') | ipaddr('network/prefix') }}; -{% endfor %} -}; - -{% if item.dns.forward_zones is defined %} -// DNS forward zones for {{ item.domain_code }} -{% for zone in item.dns.forward_zones %} -zone "{{ zone.name }}." { - type slave; - file "{{ zone.name }}.db"; -{% if zone.master is defined %} - masters { ns-master-{{ zone.name }}; }; -{% else %} - masters { ns-master-{{ item.domain_code }}; }; -{% endif %} -}; -{% if not loop.last %} - -{% endif %} -{% endfor %} -{% endif %} - -// DNS reverse zones for {{ item.domain_code }} -zone "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" { - type slave; - file "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}"; - masters { ns-master-{{ item.domain_code }}; }; -}; - -{% for prefix in item.ipv6_ula %} -zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" { - type slave; - file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}"; - masters { ns-master-{{ item.domain_code }}; }; -}; -{% if not loop.last %} - -{% endif %} -{% endfor %} diff --git a/roles/service-bind-slave/templates/named.conf.options.j2 b/roles/service-bind-slave/templates/named.conf.options.j2 index 57a70b1..959d562 100644 --- a/roles/service-bind-slave/templates/named.conf.options.j2 +++ b/roles/service-bind-slave/templates/named.conf.options.j2 @@ -11,9 +11,7 @@ options { allow-recursion { 127.0.0.1; ::1; -{% for mesh in meshes %} - intern-{{ mesh.domain_code }}; -{% endfor %} + internal; }; allow-transfer { any; };