roles/named: Deploy BIND DNS server

The *named* role configures the BIND DNS server on managed nodes. It writes `/etc/named.conf`, using a template that supports most of the commonly-used options. The configuration can be augmented by other templates, etc. by specifying file paths in the `named_options_include` or `named_global_include` variables, both of which are lists.
2018-01-07 11:26:03 -06:00 · 2018-01-07 11:26:03 -06:00 · b493d81cfa
parent ac354643c5
commit b493d81cfa
6 changed files with 172 additions and 0 deletions
--- a/roles/named/defaults/main.yml
+++ b/roles/named/defaults/main.yml
@ -0,0 +1,14 @@
 named_listen:
 - port: 53
  addresses:
  - 127.0.0.1
 named_listen_v6:
 - port: 53
  addresses:
  - ::1
 named_allow_query:
 - localhost
 named_recursion: true
 named_dnssec: true
 named_dnssec_validation: true
 named_options_include: '{{ named_default_options_include }}'
--- a/roles/named/handlers/main.yml
+++ b/roles/named/handlers/main.yml
@ -0,0 +1,10 @@
 - name: restart named
  service:
    name=named
    state=restarted
 - name: reload named
  service:
    name=named
    state=reloaded
 - name: save firewalld configuration
  command: firewall-cmd --runtime-to-permanent
--- a/roles/named/tasks/main.yml
+++ b/roles/named/tasks/main.yml
@ -0,0 +1,54 @@
 - name: load distribution-specific values
  include_vars: '{{ item }}'
  with_first_found:
  - '{{ ansible_distribution }}.yml'
  - defaults.yml
  tags:
  - always
 - name: ensure packages are installed
  package:
    name={{ named_packages|join(',') }}
    state=present
  tags:
  - install
 - name: ensure named is configured
  template:
    src: named.conf.j2
    dest: /etc/named.conf
    mode: '0640'
    owner: root
    group: named
    validate: named-checkconf %s
  notify: reload named
 # TODO: What about other OS/init setups?
 - name: ensure named environment variables are set
  template:
    src=named.sysconfig.j2
    dest=/etc/sysconfig/named
    mode=0644
  when: ansible_os_family == 'RedHat'
  notify: restart named
 - name: ensure named starts at boot
  service:
    name=named
    enabled=yes
 - meta: flush_handlers
 - name: ensure named is running
  service:
    name=named
    state=started
 - name: ensure firewall is configured for dns
  firewalld:
    service=dns
    state=enabled
    permanent=no
    immediate=yes
  notify: save firewalld configuration
  when: host_uses_firealld|d(true)|bool
  tags:
  - firewalld
--- a/roles/named/templates/named.conf.j2
+++ b/roles/named/templates/named.conf.j2
@ -0,0 +1,62 @@
 {% macro yesno(val) %}{{ 'yes' if val|bool else 'no' }}{% endmacro %}
 options {
 {% for listen in named_listen %}
 	listen-on port {{ listen.port|d(53) }} {
 {% for address in listen.addresses %}
 		{{ address }};
 {% endfor %}
 	};
 {% endfor %}
 {% for listen in named_listen_v6 %}
 	listen-on-v6 port {{ listen.port|d(53) }} {
 {% for address in listen.addresses %}
 		{{ address }};
 {% endfor %}
 	};
 {% endfor %}
 	directory 	"{{ named_directory }}";
 	dump-file 	"{{ named_dump_file }}";
 	statistics-file "{{ named_stats_file }}";
 	memstatistics-file "{{ named_memstats_file }}";
 	allow-query     {
 {% for match in named_allow_query %}
 		{{ match }};
 {% endfor %}
 	};
 	recursion {{ yesno(named_recursion) }};
 	dnssec-enable {{ yesno(named_dnssec) }};
 	dnssec-validation {{ yesno(named_dnssec_validation) }};
 	managed-keys-directory "{{ named_managed_keys_dir }}";
 	pid-file "{{ named_pid_file }}";
 	session-keyfile "{{ named_session_keyfile }}";
 {% if named_keytab is defined %}
 	tkey-gssapi-keytab "{{ named_keytab }}";
 {% endif %}
 {% for path in named_options_include %}
 	include "{{ path }}";
 {% endfor %}
 };
 logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
 };
 zone "." IN {
 	type hint;
 	file "named.ca";
 };
 include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";
 {% for path in named_global_include %}
 include "{{ path }}";
 {% endfor %}
--- a/roles/named/templates/named.sysconfig.j2
+++ b/roles/named/templates/named.sysconfig.j2
@ -0,0 +1,21 @@
 # BIND named process options
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~
 #
 # OPTIONS="whatever"     --  These additional options will be passed to named
 #                            at startup. Don't add -t here, enable proper
 #                            -chroot.service unit file.
 #
 # NAMEDCONF=/etc/named/alternate.conf
 #                        --  Don't use -c to change configuration file.
 #                            Extend systemd named.service instead or use this
 #                            variable.
 #
 # DISABLE_ZONE_CHECKING  --  By default, service file calls named-checkzone
 #                            utility for every zone to ensure all zones are
 #                            valid before named starts. If you set this option
 #                            to 'yes' then service file doesn't perform those
 #                            checks.
 # Work around to make TSIG-GSS dynamic updates work. Kerberos replaying is
 # required in this scenario, but is rejected when a replay cache is used
 KRB5RCACHETYPE=none
--- a/roles/named/vars/defaults.yml
+++ b/roles/named/vars/defaults.yml
@ -0,0 +1,11 @@
 named_packages:
 - bind
 named_directory: /var/named
 named_dump_file: '{{ named_directory }}/data/cache_dump.db'
 named_stats_file: '{{ named_directory }}/data/named_stats.txt'
 named_memstats_file: '{{ named_directory }}/data/named_mem_stats.txt'
 named_managed_keys_dir: '{{ named_directory }}/dynamic'
 named_pid_file: /run/named/named.pid
 named_session_keyfile: /run/named/session.key
 named_default_options_include:
 - /etc/crypto-policies/back-ends/bind.config