freifunk/ansible-ffibk
9
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Migrate internal DNS master to PowerDNS

Browse source 
* Add playbook dns to manage internal dns master servers
 * Add role to manage PowerDNS Admin Web Frontend for PowerDNS
 * Move dns zone related data from mesh list to a simpler dict with a simple zone list
 * Update role service-bind-slave
 * Update Readme.md
 * Add requirements.yml
 * Update .gitignore
This commit is contained in:
Tobias Hachmer 2019-03-20 19:43:11 +01:00
parent fe4415afcf
commit 869dd5b62a
No known key found for this signature in database
GPG key ID: E112788464CA5C60
19 changed files with 410 additions and 104 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1 +1,3 @@
playbooks/test.yml playbooks/test.yml
roles/geerlingguy.mysql
roles/powerdns.pdns

7
Readme.md
View file

@ -21,9 +21,16 @@ Voraussetzungen für die Control Machine:
- Ansible Version >= 2.6 - Ansible Version >= 2.6
- Python Modul `netaddr` - Python Modul `netaddr`
- Python Modul `dnspython` - Python Modul `dnspython`
- Ansible Galaxy Rollen müssen installiert sein
Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config. Die Server werden mit ihren FQDNs im Ansible Inventory hinterlegt, bedenkt das für eure ssh-config.
Ansible Galaxy Rollen installieren:
```
ansible-galaxy install -r requirements.yml
```
## Gruppen-Variablen ## Gruppen-Variablen
Viele Variablen sind Mesh-spezifisch und werden auf allen Gateways benötigt. Deshalb verwalten wir die Liste `meshes`. Jeder Listeneintrag ist ein Dictionary. Diese Liste befindet sich in der Sondergruppe `all` (inventory/group_vars/all) und steht damit allen Hosts im Inventory zur Verfügung. Viele Variablen sind Mesh-spezifisch und werden auf allen Gateways benötigt. Deshalb verwalten wir die Liste `meshes`. Jeder Listeneintrag ist ein Dictionary. Diese Liste befindet sich in der Sondergruppe `all` (inventory/group_vars/all) und steht damit allen Hosts im Inventory zur Verfügung.
Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Parameter auf den Freifunk-Gateways. Jedes Dictionary repräsentiert eine Mesh-Wolke/Domain/Layer2-Netzwerk und ist wie folgt aufgebaut (Beispiel Mainz): Diese Liste ist quasi das Herzstück zur Konfiguration der Mesh-spezifischen Parameter auf den Freifunk-Gateways. Jedes Dictionary repräsentiert eine Mesh-Wolke/Domain/Layer2-Netzwerk und ist wie folgt aufgebaut (Beispiel Mainz):

52
inventory/group_vars/all
View file

@ -315,8 +315,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom0igvpn pass: fastd/dom0igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: dom1 - id: dom1
domain_number: 1 domain_number: 1
@ -354,8 +352,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom1igvpn pass: fastd/dom1igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: dom2 - id: dom2
domain_number: 2 domain_number: 2
@ -393,8 +389,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom2igvpn pass: fastd/dom2igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: dom3 - id: dom3
domain_number: 3 domain_number: 3
@ -432,8 +426,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom3igvpn pass: fastd/dom3igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: dom4 - id: dom4
domain_number: 4 domain_number: 4
@ -471,8 +463,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom4igvpn pass: fastd/dom4igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: dom5 - id: dom5
domain_number: 5 domain_number: 5
@ -510,8 +500,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom5igvpn pass: fastd/dom5igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: dom6 - id: dom6
domain_number: 6 domain_number: 6
@ -549,8 +537,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom6igvpn pass: fastd/dom6igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: dom7 - id: dom7
domain_number: 7 domain_number: 7
@ -588,8 +574,6 @@ meshes:
- id: 0 - id: 0
mtu: 1406 mtu: 1406
pass: fastd/dom7igvpn pass: fastd/dom7igvpn
dns:
master: fd37:b4dc:4b1e::a25:103
- id: mz - id: mz
legacy: true legacy: true
@ -635,14 +619,6 @@ meshes:
repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git repo: https://github.com/freifunk-mwu/ffmz-infrastructure-peers.git
version: master version: master
pass: fastd/mzigvpn pass: fastd/mzigvpn
dns:
master: fd37:b4dc:4b1e::a25:103
forward_zones:
- name: ffmz.org
- name: user.ffmz.org
- name: bb.ffmz.org
- name: nodes.ffmz.org
- name: ffbin
http_domain_internal: ffmz.org http_domain_internal: ffmz.org
http_domain_external: freifunk-mainz.de http_domain_external: freifunk-mainz.de
@ -689,14 +665,6 @@ meshes:
repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git repo: https://github.com/freifunk-mwu/ffwi-infrastructure-peers.git
version: master version: master
pass: fastd/wiigvpn pass: fastd/wiigvpn
dns:
master: fd56:b4dc:4b1e::a38:103
forward_zones:
- name: ffwi.org
- name: user.ffwi.org
- name: bb.ffwi.org
- name: nodes.ffwi.org
- name: ffmwu.org
http_domain_internal: ffwi.org http_domain_internal: ffwi.org
http_domain_external: wiesbaden.freifunk.net http_domain_external: wiesbaden.freifunk.net
@ -718,3 +686,23 @@ bgp_legacy_servers:
extrasahne: extrasahne:
ipv4: 10.37.0.42 ipv4: 10.37.0.42
ipv6: fd37:b4dc:4b1e::a25:2a ipv6: fd37:b4dc:4b1e::a25:2a
dns_internal:
master_ipv4: 10.87.255.67
master_ipv6: fd86:b4dc:4b1e:ff::43
zones:
- ffmwu.org
- ffmz.org
- ffwi.org
- bb.ffmz.org
- bb.ffwi.org
- user.ffmz.org
- user.ffwi.org
- ffbin
- 37.10.in-addr.arpa
- 56.10.in-addr.arpa
- 86.10.in-addr.arpa
- 87.10.in-addr.arpa
- 0.0.0.0.e.1.b.4.c.d.4.b.7.3.d.f.ip6.arpa
- 0.0.0.0.e.1.b.4.c.d.4.b.6.5.d.f.ip6.arpa
- e.1.b.4.c.d.4.b.6.8.d.f.ip6.arpa

2
inventory/host_vars/kichererbse.freifunk-mwu.de
View file

@ -2,3 +2,5 @@
server_type: "mesh-service" server_type: "mesh-service"
magic: 67 magic: 67
nodejs_major_version: "10"

72
playbooks/dns.yml Normal file
View file

@ -0,0 +1,72 @@
---
- name: Manage DNS Internal Master Server.
hosts: dns-master-internal
roles:
- service-nginx
- nodejs
- yarn
- geerlingguy.mysql
- powerdns.pdns
- pdns-admin
vars:
mysql_root_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=password') }}"
mysql_databases:
- name: "pdns-admin"
encoding: "utf8"
collation: "utf8_general_ci"
mysql_users:
- name: "pdns-admin"
host: "localhost"
password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=password') }}"
priv: "pdns-admin.*:ALL"
mysql_max_binlog_size: "100M"
mysql_expire_logs_days: "10"
pdns_install_repo: "{{ pdns_auth_powerdns_repo_41 }}"
pdns_mysql_databases_credentials:
gmysql:
priv_user: root
priv_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_root subkey=password') }}"
priv_host:
- "localhost"
pdns_config:
allow-axfr-ips: "{% for host in groups['ffmwu-gateways'] %}{{ loopback_net_ipv4 | ipaddr(hostvars[host]['magic']) | ipaddr('address') }},{{ loopback_net_ipv6 | ipaddr(hostvars[host]['magic']) | ipaddr('address') }}{% if not loop.last %},{% endif %}{% endfor %}"
api: "yes"
api-key: "{{ lookup('passwordstore', inventory_hostname_short + '/pdns_apikey subkey=api-key') }}"
default-soa-name: "{{ inventory_hostname }}"
default-soa-mail: "admin.freifunk-mwu.de"
local-port: "53"
local-address: "127.0.0.1,{{ loopback_net_ipv4 | ipaddr(magic) | ipaddr('address') }}"
local-ipv6: "::1,{{ loopback_net_ipv6 | ipaddr(magic) | ipaddr('address') }}"
master: True
only-notify: "{% for prefix in internal_prefixes %}{{ prefix.ipv4 }},{{ prefix.ipv6 }}{% if not loop.last %},{% endif %}{% endfor %}"
tcp-fast-open: "50"
version-string: "anonymous"
webserver: "yes"
webserver-address: "127.0.0.1"
webserver-allow-from: "0.0.0.0/0,::/0"
webserver-password: "{{ lookup('passwordstore', inventory_hostname_short + '/pdns_webserver subkey=password') }}"
pdns_backends:
gmysql:
host: "127.0.0.1"
user: "powerdns"
password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_powerdns subkey=password') }}"
dbname: "powerdns"
pdns_admin_global_config:
secret_key: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=password') }}"
login_title: "Freifunk MWU DNS Management"
log_level: "INFO"
log_file: "pdns-admin.log"
pdns_admin_database_config:
sqla_db_user: "pdns-admin"
sqla_db_password: "{{ lookup('passwordstore', inventory_hostname_short + '/mysql_pdns-admin subkey=password') }}"
sqla_db_host: "127.0.0.1"
sqla_db_name: "pdns-admin"
sqlalchemy_track_modifications: True

2
requirements.yml Normal file
View file

@ -0,0 +1,2 @@
- src: geerlingguy.mysql
- src: powerdns.pdns

35
roles/pdns-admin/defaults/main.yml Normal file
View file

@ -0,0 +1,35 @@
---
pdns_admin_service_name: "powerdns"
pdns_admin_git_repo_url: "https://github.com/ngoduykhanh/PowerDNS-Admin.git"
pdns_admin_git_repo_commit: "9f29a8e154c5370e212971636f9c5347298fde14"
pdns_admin_pip_packages:
- mysql-python
pdns_admin_root_path: "/var/www"
pdns_admin_path: "{{ pdns_admin_root_path }}/powerdns-admin"
pdns_admin_requirements_path: "{{ pdns_admin_path }}/requirements.txt"
pdns_admin_conf_filename: "config.py"
pdns_admin_conf_template_filename: "{{ pdns_admin_conf_filename }}.j2"
pdns_admin_conf_filepath: "{{ pdns_admin_path }}/{{ pdns_admin_conf_filename }}"
pdns_admin_systemd_filename: "powerdns-admin.service"
pdns_admin_systemd_template_filename: "{{ pdns_admin_systemd_filename }}.j2"
pdns_admin_systemd_filepath: "/etc/systemd/system/{{ pdns_admin_systemd_filename }}"
pdns_admin_python_venv_path: "/opt/venvs/powerdns"
pdns_admin_python_path: "{{ pdns_admin_python_venv_path }}/bin/python"
pdns_admin_global_config:
secret_key: CHANGEME
login_title: PowerDNS
log_level: DEBUG
log_file: pdns-admin.log
#log_file: ''
pdns_admin_database_config:
sqla_db_user: pdns-admin
sqla_db_password: CHANGEME
sqla_db_host: your-db-server
sqla_db_name: pdns-admin
sqlalchemy_track_modifications: True

14
roles/pdns-admin/handlers/main.yml Normal file
View file

@ -0,0 +1,14 @@
---
- name: Restart PowerDNS Admin Service
systemd:
name: "{{ pdns_admin_systemd_filename }}"
state: restarted
- name: Reload systemd
systemd:
daemon_reload: "yes"
- name: Reload nginx
systemd:
name: "nginx"
state: "reloaded"

5
roles/pdns-admin/meta/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
dependencies:
- yarn
- nodejs
- service-nginx

80
roles/pdns-admin/tasks/main.yml Normal file
View file

@ -0,0 +1,80 @@
---
- name: Include OS-specific variables.
include_vars: "{{ ansible_distribution }}.yml"
- name: Install required packages for Debian.
package:
name: "{{ pdns_admin_packages }}"
state: "present"
when: ansible_distribution == 'Debian'
- name: Create "{{ pdns_admin_root_path }}" directory.
file:
path: "{{ pdns_admin_root_path }}"
state: "directory"
- name: Git clone PowerDNS Admin.
git:
repo: "{{ pdns_admin_git_repo_url }}"
dest: "{{ pdns_admin_path }}"
version: "{{ pdns_admin_git_repo_commit }}"
- name: Install virtualenv.
pip:
name: "virtualenv"
executable: "pip3"
- name: PIP install requirements for PowerDNS Admin.
pip:
requirements: "{{ pdns_admin_requirements_path }}"
virtualenv: "{{ pdns_admin_python_venv_path }}"
virtualenv_python: "python3"
- name: PIP install python-dotenv.
pip:
name: "python-dotenv"
state: "present"
virtualenv: "{{ pdns_admin_python_venv_path }}"
virtualenv_python: "python3"
- name: Template PowerDNS Admin systemd unit.
template:
src: "{{ pdns_admin_systemd_template_filename }}"
dest: "{{ pdns_admin_systemd_filepath }}"
owner: "root"
group: "root"
notify: Reload systemd
- name: Copy {{ pdns_admin_conf_filename }}.
template:
src: "{{ pdns_admin_conf_template_filename }}"
dest: "{{ pdns_admin_conf_filepath }}"
owner: "root"
group: "root"
notify: Restart PowerDNS Admin Service
- name: Run post hooks.
command: "{{ item }} chdir={{ pdns_admin_path }}"
environment:
PATH: "{{ pdns_admin_python_venv_path }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
VIRTUAL_ENV: "{{ pdns_admin_python_venv_path }}"
FLASK_APP: "{{ pdns_admin_path }}/app/__init__.py"
loop:
- "flask db upgrade"
- "yarn install --pure-lockfile"
- "flask assets build"
- name: Ensure PowerDNS Admin systemd unit is enabled and started.
service:
name: "{{ pdns_admin_systemd_filename }}"
state: "started"
enabled: "yes"
- name: Template nginx configuration.
template:
src: "pdns_admin.conf.j2"
dest: "/etc/nginx/conf.d/pdns_admin.conf"
owner: "root"
group: "root"
mode: "0644"
notify: Reload nginx

52
roles/pdns-admin/templates/config.py.j2 Normal file
View file

@ -0,0 +1,52 @@
import os
basedir = os.path.abspath(os.path.dirname(__file__))
{% if pdns_admin_global_config is defined %}
{% for key, value in pdns_admin_global_config.items() %}
{% if key | upper not in ["UPLOAD_DIR"] %}
{% if value is not mapping %}
{% if value is sequence and value is not string %}
{% if value[0] is number %}
{{ key | upper }} = [ {{ value|join(', ') }} ]
{% else %}
{{ key | upper }} = [ "{{ value|join('", "') }}" ]
{% endif %}
{% else %}
{% if value == "true" or value == "false" or value is number %}
{{ key | upper }} = {{ value }}
{% else %}
{{ key | upper }} = "{{ value }}"
{% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
# Upload
UPLOAD_DIR = os.path.join(basedir, 'upload')
{% endif %}
{% if pdns_admin_database_config is defined %}
{% for key, value in pdns_admin_database_config.items() %}
{% if key | upper not in ["SQLALCHEMY_DATABASE_URI", "SQLALCHEMY_MIGRATE_REPO"] %}
{% if value is not mapping %}
{% if value is sequence and value is not string %}
{% if value[0] is number %}
{{ key | upper }} = [ {{ value|join(', ') }} ]
{% else %}
{{ key | upper }} = [ "{{ value|join('", "') }}" ]
{% endif %}
{% else %}
{% if value == "true" or value == "false" or value is number %}
{{ key | upper }} = {{ value }}
{% else %}
{{ key | upper }} = "{{ value }}"
{% endif %}
{% endif %}
{% endif %}
{% endif %}
{% endfor %}
SQLALCHEMY_DATABASE_URI = 'mysql://'+SQLA_DB_USER+':'\
+SQLA_DB_PASSWORD+'@'+SQLA_DB_HOST+'/'+SQLA_DB_NAME
{% endif %}
SAML_ENABLED = False

52
roles/pdns-admin/templates/pdns_admin.conf.j2 Normal file
View file

@ -0,0 +1,52 @@
server {
listen 80;
listen [::]:80;
server_name dns-int.{{ http_domain_external }} dns-int.{{ http_domain_internal }};
return 301 https://$http_host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dns-int.{{ http_domain_external }} dns-int.{{ http_domain_internal }};
index index.html index.htm;
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
ssl_prefer_server_ciphers on;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;
proxy_buffer_size 8k;
proxy_set_header Host $http_host;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_headers_hash_bucket_size 64;
location ~ ^/static/ {
include mime.types;
root {{ pdns_admin_path }}/app;
location ~* \.(jpg|jpeg|png|gif)$ { expires 365d; }
location ~* ^.+.(css|js)$ { expires 7d; }
}
location ~ ^/upload/ {
include mime.types;
root {{ pdns_admin_path }};
location ~* \.(jpg|jpeg|png|gif)$ { expires 365d; }
location ~* ^.+.(css|js)$ { expires 7d; }
}
location / {
proxy_pass http://unix:{{ pdns_admin_path }}/powerdns-admin.sock;
proxy_read_timeout 120;
proxy_connect_timeout 120;
proxy_redirect http:// $scheme://;
}
}

13
roles/pdns-admin/templates/powerdns-admin.service.j2 Normal file
View file

@ -0,0 +1,13 @@
[Unit]
Description=PowerDNS-Admin
After=network.target
[Service]
User=root
Group=root
WorkingDirectory={{ pdns_admin_path }}
ExecStart={{ pdns_admin_python_venv_path }}/bin/gunicorn --workers 2 --bind unix:{{ pdns_admin_path }}/powerdns-admin.sock app:app
Environment="PATH={{ pdns_admin_path }}"
[Install]
WantedBy=multi-user.target

21
roles/pdns-admin/vars/Debian.yml Normal file
View file

@ -0,0 +1,21 @@
---
pdns_admin_packages:
- build-essential
- curl
- default-libmysqlclient-dev
- git
- libldap2-dev
- libmariadb2
- libmariadb-client-lgpl-dev
- libsasl2-dev
- libssl-dev
- libxmlsec1-dev
- pkg-config
- python-setuptools
- python-pip
- python3
- python3-dev
- python3-pip
- python3-setuptools
- python3-virtualenv
- virtualenv

7
roles/service-bind-slave/tasks/main.yml
View file

@ -35,15 +35,14 @@
mode: 0644 mode: 0644
notify: restart bind9 notify: restart bind9
- name: write named.conf for meshes - name: write named.conf.ffmwu-zones
template: template:
src: named.conf.mesh.j2 src: named.conf.ffmwu-zones.j2
dest: /etc/bind/named.conf.{{ item.domain_code }} dest: /etc/bind/named.conf.ffmwu-zones
owner: root owner: root
group: bind group: bind
mode: 0644 mode: 0644
notify: restart bind9 notify: restart bind9
loop: "{{ meshes }}"
- name: write initial icvpn bind config - name: write initial icvpn bind config
shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn shell: /usr/bin/python3 /home/admin/clones/icvpn-scripts/mkdns -f bind -x mwu -x bingen -s /home/admin/clones/icvpn-meta > /etc/bind/named.conf.icvpn

28
roles/service-bind-slave/templates/named.conf.ffmwu-zones.j2 Normal file
View file

@ -0,0 +1,28 @@
//
// {{ ansible_managed }}
//
// ACLs
masters "ns-master-ffmwu" {
{{ dns_internal.master_ipv4 | ipaddr('address') }};
{{ dns_internal.master_ipv6 | ipaddr('address') }};
};
acl "internal" {
{% for network in internal_prefixes %}
{{ network.ipv4 | ipaddr('net') | ipaddr('network/prefix') }};
{{ network.ipv6 | ipaddr('net') | ipaddr('network/prefix') }};
{% endfor %}
};
// DNS forward zones
{% for zone in dns_internal.zones %}
zone "{{ zone }}." {
type slave;
file "{{ zone }}.db";
masters { ns-master-ffmwu; };
};
{% if not loop.last %}
{% endif %}
{% endfor %}

4
roles/service-bind-slave/templates/named.conf.j2
View file

@ -4,8 +4,6 @@
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.ffmwu-zones";
include "/etc/bind/named.conf.logging"; include "/etc/bind/named.conf.logging";
{% for mesh in meshes %}
include "/etc/bind/named.conf.{{ mesh.domain_code }}";
{% endfor %}
include "/etc/bind/named.conf.icvpn"; include "/etc/bind/named.conf.icvpn";

62
roles/service-bind-slave/templates/named.conf.mesh.j2
View file

@ -1,62 +0,0 @@
//
// {{ ansible_managed }}
//
// ACLs
masters "ns-master-{{ item.domain_code }}" {
{{ item.dns.master }};
};
{% if item.dns.forward_zones is defined %}
{% for zone in item.dns.forward_zones %}
{% if zone.master is defined %}
masters "ns-master-{{ zone.name }}" {
{{ zone.master }};
};
{% endif %}
{% endfor %}
{% endif %}
acl "intern-{{ item.domain_code }}" {
{{ item.ipv4_network | ipaddr('net') | ipaddr('network/prefix') }};
{% for prefix in item.ipv6_ula %}
{{ prefix | ipaddr('net') | ipaddr('network/prefix') }};
{% endfor %}
};
{% if item.dns.forward_zones is defined %}
// DNS forward zones for {{ item.domain_code }}
{% for zone in item.dns.forward_zones %}
zone "{{ zone.name }}." {
type slave;
file "{{ zone.name }}.db";
{% if zone.master is defined %}
masters { ns-master-{{ zone.name }}; };
{% else %}
masters { ns-master-{{ item.domain_code }}; };
{% endif %}
};
{% if not loop.last %}
{% endif %}
{% endfor %}
{% endif %}
// DNS reverse zones for {{ item.domain_code }}
zone "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}" {
type slave;
file "{{ item.ipv4_network | ipaddr('net') | ipaddr('revdns') }}";
masters { ns-master-{{ item.domain_code }}; };
};
{% for prefix in item.ipv6_ula %}
zone "{{ prefix | ipaddr('net') | ipaddr('revdns') }}" {
type slave;
file "{{ prefix | ipaddr('net') | ipaddr('revdns') }}";
masters { ns-master-{{ item.domain_code }}; };
};
{% if not loop.last %}
{% endif %}
{% endfor %}

4
roles/service-bind-slave/templates/named.conf.options.j2
View file

@ -11,9 +11,7 @@ options {
allow-recursion { allow-recursion {
127.0.0.1; 127.0.0.1;
::1; ::1;
{% for mesh in meshes %} internal;
intern-{{ mesh.domain_code }};
{% endfor %}
}; };
allow-transfer { any; }; allow-transfer { any; };